Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5JbQqP8SDG.exe

Overview

General Information

Sample Name:5JbQqP8SDG.exe
Analysis ID:623788
MD5:250d122f4af32b52435a02787689ebbd
SHA1:39346c41bcb75109dac251320d4afea649538f85
SHA256:14f5c3ab5cbad5d2f6e751e8b3d42204460b8b10a38285623734d631a2ceda09
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 5JbQqP8SDG.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\5JbQqP8SDG.exe" MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 6368 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 5JbQqP8SDG.exe (PID: 4676 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
      • schtasks.exe (PID: 1408 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5564 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 5JbQqP8SDG.exe (PID: 5976 cmdline: C:\Users\user\Desktop\5JbQqP8SDG.exe 0 MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 4536 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 5JbQqP8SDG.exe (PID: 7040 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • dhcpmon.exe (PID: 6388 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 4176 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 4788 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • dhcpmon.exe (PID: 6700 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 7052 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp58BF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 2260 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 107 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40a6:$x1: NanoCore.ClientPluginHost
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40a6:$x2: NanoCore.ClientPluginHost
      • 0x4184:$s4: PipeCreated
      • 0x40c0:$s5: IClientLoggingHost
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x40f0:$x2: NanoCore.ClientPlugin
      • 0x40a6:$x3: NanoCore.ClientPluginHost
      • 0x4106:$i3: IClientNetwork
      • 0x40c0:$i6: IClientLoggingHost
      • 0x3e3f:$s1: ClientPlugin
      • 0x40f9:$s1: ClientPlugin
      11.2.5JbQqP8SDG.exe.37c1488.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.5JbQqP8SDG.exe.37c1488.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      Click to see the 117 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 5JbQqP8SDG.exeVirustotal: Detection: 57%Perma Link
      Source: 5JbQqP8SDG.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\AppData\Roaming\GryVAO.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR
      Machine Learning detection for sample
      Source: 5JbQqP8SDG.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\GryVAO.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 5JbQqP8SDG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 5JbQqP8SDG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp

      Networking

      barindex
      Connects to many ports of the same IP (likely port scanning)
      Source: global trafficTCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421
      Uses dynamic DNS services
      Source: unknownDNS query: name: lowspeed121.ddns.net
      Source: global trafficTCP traffic: 192.168.2.5:49775 -> 185.19.85.175:50421
      Source: 5JbQqP8SDG.exe, 00000000.00000003.438967518.00000000013DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com=
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 5JbQqP8SDG.exe, 00000000.00000003.455928032.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.p
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 5JbQqP8SDG.exe, 00000000.00000003.444977276.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445248230.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445508362.0000000005ADD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comexc
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450491433.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450590496.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450679414.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaK
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaU
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko8
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf
      Source: 5JbQqP8SDG.exe, 00000000.00000003.448954375.0000000005AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comicTF
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comce
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comu
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.c
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn=
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-nFp0
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnsof
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 5JbQqP8SDG.exe, 00000000.00000003.454422256.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmc
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com=
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comK
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr%
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440416859.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440348993.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deX
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: lowspeed121.ddns.net
      Source: 5JbQqP8SDG.exe, 00000000.00000002.485929234.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: 01 00 00 00

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.5JbQqP8SDG.exe.2cc21a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.31921e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.26721a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5JbQqP8SDG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.5JbQqP8SDG.exe.2cc21a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.31921e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 11.2.5JbQqP8SDG.exe.26721a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00792A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2C084
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2E398
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2E388
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 6_2_007E2A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_001A2A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABC084
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABE388
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABE398
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00DA2A9A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7E398
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7E388
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7C084
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80BB0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88B68
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E89F70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E81350
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E82148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E83028
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8D430
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E82FE6
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A3D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85780
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85380
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85370
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85770
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E81340
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88B58
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80B21
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E862C8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E862C3
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84AA0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E89698
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84A90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E89696
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8DE48
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E855A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84DA0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84D90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85593
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8CD70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E85148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E82142
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8513A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A8B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E89068
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8E430
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80006
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E83007
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88C19
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491013592.0000000003290000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000000.435226561.0000000000828000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494434677.0000000007CF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.485929234.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.492892204.00000000040CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000000.480282056.0000000000878000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.601550993.00000000071D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597247908.0000000002C40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.580726200.0000000000238000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: GryVAO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 5JbQqP8SDG.exeVirustotal: Detection: 57%
      Source: 5JbQqP8SDG.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Users\user\Desktop\5JbQqP8SDG.exeJump to behavior
      Source: 5JbQqP8SDG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe "C:\Users\user\Desktop\5JbQqP8SDG.exe"
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe C:\Users\user\Desktop\5JbQqP8SDG.exe 0
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp58BF.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Roaming\GryVAO.exeJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBE25.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/12@9/1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3f629223-43f7-4f4e-b56f-3f91ee5e5e46}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 5JbQqP8SDG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 5JbQqP8SDG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07AF2224 push dword ptr [edx+ebp*2-75h]; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07AF2142 push dword ptr [ebx+ebp-75h]; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E86710 push 93FFFFFEh; iretd
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Roaming\GryVAO.exeJump to dropped file
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile opened: C:\Users\user\Desktop\5JbQqP8SDG.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 7064Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 6556Thread sleep time: -15679732462653109s >= -30000s
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 632Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5692Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: threadDelayed 6415
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: threadDelayed 2992
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: foregroundWindowGot 705
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMemory written: C:\Users\user\Desktop\5JbQqP8SDG.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: 5JbQqP8SDG.exe, 00000006.00000002.721142281.00000000060DB000.00000004.00000010.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.722065655.0000000006EDE000.00000004.00000010.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.716969758.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719382712.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719096304.0000000002CED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719647422.0000000003012000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719382712.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719493359.0000000002F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL@
      Source: 5JbQqP8SDG.exe, 00000006.00000002.716969758.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719647422.0000000003012000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager8%n2
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		112
      Process Injection      		2
      Masquerading      		21
      Input Capture      		21
      Security Software Discovery      		Remote Services21
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Scheduled Task/Job      		1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Remote Access Software      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size Limits11
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Hidden Files and Directories      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items2
      Obfuscated Files or Information      		DCSync12
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
      Software Packing      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 623788 Sample: 5JbQqP8SDG.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 10 other signatures 2->53 8 5JbQqP8SDG.exe 6 2->8         started        12 5JbQqP8SDG.exe 4 2->12         started        14 dhcpmon.exe 5 2->14         started        process3 file4 39 C:\Users\user\AppData\RoamingbehaviorgraphryVAO.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpBE25.tmp, XML 8->41 dropped 43 C:\Users\user\AppData\...\5JbQqP8SDG.exe.log, ASCII 8->43 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 16 5JbQqP8SDG.exe 1 12 8->16         started        21 schtasks.exe 1 8->21         started        61 Injects a PE file into a foreign processes 12->61 signatures5 process6 dnsIp7 45 lowspeed121.ddns.net 185.19.85.175, 49775, 49778, 49781 DATAWIRE-ASCH Switzerland 16->45 33 C:\Program Files (x86)\...\dhcpmon.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Roaming\...\run.dat, data 16->35 dropped 37 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 16->37 dropped 55 Protects its processes via BreakOnTermination flag 16->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->57 23 schtasks.exe 1 16->23         started        25 schtasks.exe 1 16->25         started        27 conhost.exe 21->27         started        file8 signatures9 process10 process11 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      5JbQqP8SDG.exe58%VirustotalBrowse
      5JbQqP8SDG.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT
      5JbQqP8SDG.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\GryVAO.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT
      C:\Users\user\AppData\Roaming\GryVAO.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.0.5JbQqP8SDG.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.5JbQqP8SDG.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.5JbQqP8SDG.exe.53e0000.9.unpack100%AviraTR/NanoCore.fadteDownload File
      6.0.5JbQqP8SDG.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.fontbureau.comepko80%Avira URL Cloudsafe
      http://www.founder.com.cn/cnU0%URL Reputationsafe
      http://www.sajatypeworks.com=0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.founder.com.cn/cn=0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr%0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnH0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.comK0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htmc0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.agfamonotype.p0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.fonts.comu0%Avira URL Cloudsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.urwpp.deX0%Avira URL Cloudsafe
      http://www.carterandcone.comexc0%URL Reputationsafe
      http://www.fonts.comc0%URL Reputationsafe
      http://www.founder.com.c0%URL Reputationsafe
      http://www.fontbureau.co0%URL Reputationsafe
      http://www.fontbureau.comaU0%Avira URL Cloudsafe
      http://www.fontbureau.comicTF0%Avira URL Cloudsafe
      http://www.fontbureau.comaK0%Avira URL Cloudsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://en.w0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.comf0%URL Reputationsafe
      http://fontfabrik.com=0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.comals0%URL Reputationsafe
      http://www.fontbureau.comalic0%URL Reputationsafe
      http://www.founder.com.cn/cnl-nFp00%Avira URL Cloudsafe
      http://www.fonts.comce0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnsof0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lowspeed121.ddns.net
      		185.19.85.175
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersG5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThe5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comepko85JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cnU5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.com=5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.tiro.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440416859.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440348993.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn=5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.kr5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.kr%5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.founder.com.cn/cnH5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.com5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comK5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netD5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThe5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htm5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmc5JbQqP8SDG.exe, 00000000.00000003.454422256.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com.5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.galapagosdesign.com/DPlease5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.agfamonotype.p5JbQqP8SDG.exe, 00000000.00000003.455928032.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.sandoll.co.kr5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPlease5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comu5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.de5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cn5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sakkal.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deX5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.05JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.carterandcone.comexc5JbQqP8SDG.exe, 00000000.00000003.444977276.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445248230.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445508362.0000000005ADD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fonts.comc5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.c5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.co5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comaU5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comicTF5JbQqP8SDG.exe, 00000000.00000003.448954375.0000000005AD8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comaK5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comd5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://en.w5JbQqP8SDG.exe, 00000000.00000003.438967518.00000000013DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.coml5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlN5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.html5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comf5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.html5JbQqP8SDG.exe, 00000000.00000003.450491433.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450590496.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450679414.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://fontfabrik.com=5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers85JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comals5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comalic5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnl-nFp05JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comce5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnsof5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.19.85.175
                                  		lowspeed121.ddns.netSwitzerland
                                  		48971DATAWIRE-ASCHfalse

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:623788
                                  Start date and time: 10/05/202220:23:392022-05-10 20:23:39 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 14m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:5JbQqP8SDG.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:36
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@28/12@9/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 4.3% (good quality ratio 2.1%)
                                  • Quality average: 31.5%
                                  • Quality standard deviation: 39.4%
                                  HCA Information:
                                  • Successful, ratio: 95%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  20:25:06API Interceptor711x Sleep call for process: 5JbQqP8SDG.exe modified
                                  20:25:20AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  20:25:23Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\5JbQqP8SDG.exe" s>$(Arg0)
                                  20:25:25Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                  20:25:41API Interceptor4x Sleep call for process: dhcpmon.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):611328
                                  Entropy (8bit):7.644650096826273
                                  Encrypted:false
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  MD5:250D122F4AF32B52435A02787689EBBD
                                  SHA1:39346C41BCB75109DAC251320D4AFEA649538F85
                                  SHA-256:14F5C3AB5CBAD5D2F6E751E8B3D42204460B8B10A38285623734D631A2CEDA09
                                  SHA-512:36D7E91588D98689C76646AE237C84E1797D3371BB54640793E09C23E545CF5BC454779051853C196F7CA6F58FDA3DC080591BA1F86FF81B61928067C84E5488
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 63%
                                  Reputation:unknown
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@..................................j..W.................................................................................... ............... ..H............text...DK... ...L.................. ..`.rsrc................N..............@..@.reloc...............R..............@..B................ k......H.......`................Q...1...........................................*..(#...*..($...*.s%........s&........s'........s(........s)........*.~....o*...*.~....o+...*.~....o,...*.~....o-...*.~....o....*R.......o1..........*..(2...*6..($...(%...*..(&...*......(....*..('...*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(.

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5JbQqP8SDG.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                  Download File
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                  C:\Users\user\AppData\Local\Temp\tmp3E23.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmp5777.tmp

                                  Download File
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmpBD8.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                  C:\Users\user\AppData\Local\Temp\tmpBE25.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1301
                                  Entropy (8bit):5.121610238297834
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PdxXxtn:cbk4oL600QydbQxIYODOLedq3SXj
                                  MD5:397A97E4D9348E8C5A0A1AABCE2A141A
                                  SHA1:4165A2A21BB901CB63655774AD8E3B6F6B894FFF
                                  SHA-256:FC8358E632BD6B1AD28318263F46F30F57022D6692F503212DA2123ED60294DA
                                  SHA-512:BD41A5CC77A6ABB91838FE1DABB979B8790E5357ED9444877A047B9FAD06B0282FF646B4BCC2882DD8D2ACAA1FCA89313DD2DB54FC8829DD6E701D65C6594F0D
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:y6ln:y6ln
                                  MD5:ED8BF78CAA6512D8C4DE221FC892B8E7
                                  SHA1:0C2CFB8F84BA2873E0195BE895E3BFFD9DAA5A5D
                                  SHA-256:D12CB0817649797E02AEBAC918FD4C3FDA757086CE726BBA9781FAF6D165AF0B
                                  SHA-512:6613AA1FE39368D7188788359E1D2C33862ACAFB19DB9E9ACA2AA902DC9A1D6BF91E8C5B3348AAF457128B96C48D0F5976E1F67A250659219641E5612C3F23C7
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:.....2.H

                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):38
                                  Entropy (8bit):4.511085408180429
                                  Encrypted:false
                                  SSDEEP:3:oNUWJRWQvH9BACn:oNNJAQvH92Cn
                                  MD5:E123BF011BFA42FE28C547BEB8B24E19
                                  SHA1:C481D8D3A7E0AFA805432B15C37545B946149727
                                  SHA-256:036BB6A73DF879739586F448D30FDC203B230C314FA7CFE57D9427B677CD19FA
                                  SHA-512:FFB39A79260DC8F91EF5EE98C145D888DA3EC5187014C9E28F60C1419FFBEED4F8F46F8C19DC283EB2ED810D7CA9F74E0F3E4B8FA4FB67EDFDD25A0DB111B3B2
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:C:\Users\user\Desktop\5JbQqP8SDG.exe

                                  C:\Users\user\AppData\Roaming\GryVAO.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):611328
                                  Entropy (8bit):7.644650096826273
                                  Encrypted:false
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  MD5:250D122F4AF32B52435A02787689EBBD
                                  SHA1:39346C41BCB75109DAC251320D4AFEA649538F85
                                  SHA-256:14F5C3AB5CBAD5D2F6E751E8B3D42204460B8B10A38285623734D631A2CEDA09
                                  SHA-512:36D7E91588D98689C76646AE237C84E1797D3371BB54640793E09C23E545CF5BC454779051853C196F7CA6F58FDA3DC080591BA1F86FF81B61928067C84E5488
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 63%
                                  Reputation:unknown
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@..................................j..W.................................................................................... ............... ..H............text...DK... ...L.................. ..`.rsrc................N..............@..@.reloc...............R..............@..B................ k......H.......`................Q...1...........................................*..(#...*..($...*.s%........s&........s'........s(........s)........*.~....o*...*.~....o+...*.~....o,...*.~....o-...*.~....o....*R.......o1..........*..(2...*6..($...(%...*..(&...*......(....*..('...*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(.

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.644650096826273
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:5JbQqP8SDG.exe
                                  File size:611328
                                  MD5:250d122f4af32b52435a02787689ebbd
                                  SHA1:39346c41bcb75109dac251320d4afea649538f85
                                  SHA256:14f5c3ab5cbad5d2f6e751e8b3d42204460b8b10a38285623734d631a2ceda09
                                  SHA512:36d7e91588d98689c76646ae237c84e1797d3371bb54640793e09c23e545cf5bc454779051853c196f7ca6f58fda3dc080591ba1f86ff81b61928067c84e5488
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  TLSH:D5D47B9CB110759EF45BD4B2CA686C64A691776B431F42039433E7AE9E2E5F3CE40CA3
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x496b3e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x62786D55 [Mon May 9 01:24:37 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x96ae40x57.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x398.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x94b440x94c00False0.799832589286data7.65135197379IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x980000x3980x400False0.376953125data2.97811845606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x980580x33cdata

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright CPT185
                                  Assembly Version1.2.0.0
                                  InternalNameeawGGIn.exe
                                  FileVersion1.2.0.0
                                  CompanyNameCPT185
                                  LegalTrademarks
                                  Comments
                                  ProductNameCPT185_Homework
                                  ProductVersion1.2.0.0
                                  FileDescriptionCPT185_Homework
                                  OriginalFilenameeawGGIn.exe

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 10, 2022 20:25:32.728507042 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:32.746197939 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:33.344623089 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:33.403633118 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:34.032136917 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:34.062242985 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:38.412297964 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:38.474441051 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:39.032617092 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:39.072555065 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:39.641993046 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:39.672367096 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:44.898557901 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:44.916450024 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:45.533144951 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:45.552731991 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:46.110516071 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:46.154194117 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:51.772958040 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:51.814470053 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:52.346168041 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:52.372033119 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:52.951143980 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:52.990546942 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:57.005374908 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:57.063580990 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:57.637762070 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:57.657197952 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:58.239928007 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:58.265409946 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:02.305550098 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:02.337171078 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:03.002831936 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:03.029366970 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:03.691318035 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:03.709923983 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:10.671817064 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:10.701931953 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:11.323120117 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:11.343614101 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:12.019603968 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:12.039122105 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:16.140109062 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:16.159164906 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:16.738403082 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:16.756925106 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:17.288614988 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:17.306202888 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:21.410116911 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:21.428174019 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:22.004448891 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:22.033843994 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:22.694041014 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:22.711700916 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:26.726931095 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:26.754028082 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:27.348707914 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:27.366638899 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:28.036252022 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:28.063142061 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:32.088620901 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:32.106316090 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:32.645987988 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:32.663572073 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:33.349282980 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:33.368165970 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:37.387248993 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:37.404926062 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:38.005887032 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:38.023646116 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:38.693451881 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:38.711137056 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:42.812170029 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:42.844466925 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:43.350069046 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:43.368793964 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:44.026642084 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:44.061487913 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:49.824131966 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:49.848602057 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:50.350656986 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:50.368242025 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:51.038208961 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:51.055838108 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:55.132627964 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:55.150667906 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:55.741739988 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:55.759327888 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:56.351227999 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:56.381736994 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:00.384252071 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:00.401876926 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:00.945350885 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:00.970081091 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:01.476583004 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:01.496156931 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:05.512118101 CEST4985050421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:05.541635036 CEST5042149850185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:06.133254051 CEST4985050421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:06.173866034 CEST5042149850185.19.85.175192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 10, 2022 20:25:32.594398022 CEST5432253192.168.2.58.8.8.8
                                  May 10, 2022 20:25:32.613013983 CEST53543228.8.8.8192.168.2.5
                                  May 10, 2022 20:25:38.359194040 CEST6371253192.168.2.58.8.8.8
                                  May 10, 2022 20:25:38.380553007 CEST53637128.8.8.8192.168.2.5
                                  May 10, 2022 20:25:44.221904993 CEST6246653192.168.2.58.8.8.8
                                  May 10, 2022 20:25:44.240909100 CEST53624668.8.8.8192.168.2.5
                                  May 10, 2022 20:26:08.134268999 CEST5735253192.168.2.58.8.8.8
                                  May 10, 2022 20:26:08.155194998 CEST53573528.8.8.8192.168.2.5
                                  May 10, 2022 20:26:16.115792990 CEST6324153192.168.2.58.8.8.8
                                  May 10, 2022 20:26:16.137823105 CEST53632418.8.8.8192.168.2.5
                                  May 10, 2022 20:26:21.373483896 CEST5780953192.168.2.58.8.8.8
                                  May 10, 2022 20:26:21.391987085 CEST53578098.8.8.8192.168.2.5
                                  May 10, 2022 20:26:42.791327953 CEST6268053192.168.2.58.8.8.8
                                  May 10, 2022 20:26:42.808203936 CEST53626808.8.8.8192.168.2.5
                                  May 10, 2022 20:26:49.778464079 CEST4940753192.168.2.58.8.8.8
                                  May 10, 2022 20:26:49.799529076 CEST53494078.8.8.8192.168.2.5
                                  May 10, 2022 20:26:55.111569881 CEST5446353192.168.2.58.8.8.8
                                  May 10, 2022 20:26:55.130059958 CEST53544638.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 10, 2022 20:25:32.594398022 CEST192.168.2.58.8.8.80x70e8Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:25:38.359194040 CEST192.168.2.58.8.8.80x9d84Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:25:44.221904993 CEST192.168.2.58.8.8.80xae7Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:08.134268999 CEST192.168.2.58.8.8.80xb5dfStandard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:16.115792990 CEST192.168.2.58.8.8.80x41e3Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:21.373483896 CEST192.168.2.58.8.8.80x946Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:42.791327953 CEST192.168.2.58.8.8.80xb453Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:49.778464079 CEST192.168.2.58.8.8.80xa12Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:55.111569881 CEST192.168.2.58.8.8.80x20a2Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 10, 2022 20:25:32.613013983 CEST8.8.8.8192.168.2.50x70e8No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:25:38.380553007 CEST8.8.8.8192.168.2.50x9d84No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:25:44.240909100 CEST8.8.8.8192.168.2.50xae7No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:08.155194998 CEST8.8.8.8192.168.2.50xb5dfNo error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:16.137823105 CEST8.8.8.8192.168.2.50x41e3No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:21.391987085 CEST8.8.8.8192.168.2.50x946No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:42.808203936 CEST8.8.8.8192.168.2.50xb453No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:49.799529076 CEST8.8.8.8192.168.2.50xa12No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:55.130059958 CEST8.8.8.8192.168.2.50x20a2No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:20:24:53
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\5JbQqP8SDG.exe"
                                  Imagebase:0x790000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:4
                                  Start time:20:25:13
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:5
                                  Start time:20:25:13
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:20:25:14
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x7e0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:9
                                  Start time:20:25:20
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:10
                                  Start time:20:25:21
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:11
                                  Start time:20:25:23
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\5JbQqP8SDG.exe 0
                                  Imagebase:0x1a0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:12
                                  Start time:20:25:23
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:13
                                  Start time:20:25:24
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:14
                                  Start time:20:25:26
                                  Start date:10/05/2022
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                  Imagebase:0xda0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 63%, ReversingLabs
                                  Reputation:low

                                  Disassembly

                                  No disassembly