Windows Analysis Report
U7Ncg7oAyC.exe

Overview

General Information

Sample Name:	U7Ncg7oAyC.exe
Analysis ID:	623790
MD5:	1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:	7754eade48451776ab6109a0c584573780a4f531
SHA256:	26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Connects to many ports of the same IP (likely port scanning)

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: U7Ncg7oAyC.exe	Virustotal: Detection: 43%			Perma Link
Source: U7Ncg7oAyC.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exe	ReversingLabs: Detection: 63%

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Machine Learning detection for sample

Source: U7Ncg7oAyC.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 24.2.dhcpmon.exe.3b0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.U7Ncg7oAyC.exe.420000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 34.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.dhcpmon.exe.cf0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	Avira: Label: TR/NanoCore.fadte

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack

Uses 32bit PE files

Source: U7Ncg7oAyC.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: U7Ncg7oAyC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_07E04F40
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04F40
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then xor edx, edx	19_2_07E04E78
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_07E04AB0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_07E04F3B
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04F3B
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then xor edx, edx	19_2_07E04E6C
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_07E04C20
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04C20
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_07E04C14
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04C14
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_07E04AA7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	24_2_04E194D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	24_2_04E17B3C

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 102.89.42.162 ports 54761,1,4,5,6,7
Source: global traffic	TCP traffic: 185.19.85.160 ports 54761,1,4,5,6,7

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49763 -> 102.89.42.162:54761
Source: global traffic	TCP traffic: 192.168.2.4:49778 -> 185.19.85.160:54761

Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160

Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: fastspeed.ddnsfree.com

Installs a raw input device (often for capturing keystrokes)

Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Process information set: 01 00 00 00

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D720E8	0_2_02D720E8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73040	0_2_02D73040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70470	0_2_02D70470
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D7B558	0_2_02D7B558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70FE8	0_2_02D70FE8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75340	0_2_02D75340
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75330	0_2_02D75330
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75138	0_2_02D75138
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75128	0_2_02D75128
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75738	0_2_02D75738
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75558	0_2_02D75558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75568	0_2_02D75568
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D74A90	0_2_02D74A90
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D74A81	0_2_02D74A81
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D71BF8	0_2_02D71BF8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73ED0	0_2_02D73ED0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73EC1	0_2_02D73EC1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70F3F	0_2_02D70F3F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D72F39	0_2_02D72F39
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D9770	0_2_054D9770
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D0040	0_2_054D0040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D0006	0_2_054D0006
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C90040	0_2_09C90040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C9003E	0_2_09C9003E
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283E480	6_2_0283E480
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283E471	6_2_0283E471
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283BBD4	6_2_0283BBD4
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_062A03F0	6_2_062A03F0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50470	19_2_04D50470
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D5B558	19_2_04D5B558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D520E8	19_2_04D520E8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53040	19_2_04D53040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50FE8	19_2_04D50FE8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55558	19_2_04D55558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55568	19_2_04D55568
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55738	19_2_04D55738
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55138	19_2_04D55138
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55128	19_2_04D55128
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55340	19_2_04D55340
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55330	19_2_04D55330
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53ED0	19_2_04D53ED0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53EC1	19_2_04D53EC1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50F3F	19_2_04D50F3F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D52F39	19_2_04D52F39
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D54A90	19_2_04D54A90
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D54A81	19_2_04D54A81
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D51BF8	19_2_04D51BF8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0C080	19_2_07E0C080
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E00040	19_2_07E00040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0BC58	19_2_07E0BC58
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E05620	19_2_07E05620
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0561F	19_2_07E0561F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0C07F	19_2_07E0C07F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0BC49	19_2_07E0BC49
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_0929003F	19_2_0929003F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_09290040	19_2_09290040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3040	22_2_015A3040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A20F8	22_2_015A20F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015AB558	22_2_015AB558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0480	22_2_015A0480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0FE8	22_2_015A0FE8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5138	22_2_015A5138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5128	22_2_015A5128
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3018	22_2_015A3018
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A20E8	22_2_015A20E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5340	22_2_015A5340
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5330	22_2_015A5330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5558	22_2_015A5558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5568	22_2_015A5568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0470	22_2_015A0470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5748	22_2_015A5748
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5738	22_2_015A5738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A1BF8	22_2_015A1BF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4A90	22_2_015A4A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4A81	22_2_015A4A81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4DA2	22_2_015A4DA2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A1C08	22_2_015A1C08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0F3F	22_2_015A0F3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A2FEC	22_2_015A2FEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3ED0	22_2_015A3ED0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3EC2	22_2_015A3EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05710040	22_2_05710040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05710007	22_2_05710007
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B4003E	22_2_09B4003E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B40040	22_2_09B40040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663040	24_2_02663040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_026620E8	24_2_026620E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660470	24_2_02660470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_0266B558	24_2_0266B558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660FE8	24_2_02660FE8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665340	24_2_02665340
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665330	24_2_02665330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663017	24_2_02663017
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665128	24_2_02665128
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665138	24_2_02665138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665738	24_2_02665738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665568	24_2_02665568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665558	24_2_02665558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02664A81	24_2_02664A81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02664A90	24_2_02664A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02661BF8	24_2_02661BF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663EC1	24_2_02663EC1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663ED0	24_2_02663ED0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660F3F	24_2_02660F3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02662FEB	24_2_02662FEB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E149F4	24_2_04E149F4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E16A21	24_2_04E16A21
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E16A30	24_2_04E16A30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F30040	24_2_04F30040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F30006	24_2_04F30006

Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.309699383.0000000004715000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.311185791.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.305800240.0000000000C24000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000000.246905121.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000003.269472442.0000000009BA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313988013.00000000098D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000000.298268399.0000000000522000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.382607982.00000000004C4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000000.317398335.0000000000422000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.393603690.0000000004035000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.411649755.0000000004830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000000.374097639.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe

Source: U7Ncg7oAyC.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LYKZypsugb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe "C:\Users\user\Desktop\U7Ncg7oAyC.exe"
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
Source: unknown	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b3a6f9ad-fdc4-4025-8d68-cc0f37771046}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_00B82299 push ebx; ret	0_2_00B822AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D761E8 push esp; iretd	0_2_02D761E9
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D76AE1 push dword ptr [ebx]; iretd	0_2_02D76AEC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D3DFB push esi; ret	0_2_054D3DFC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C93DBD pushfd ; ret	0_2_09C93DBE
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_00522299 push ebx; ret	6_2_005222AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_00422299 push ebx; ret	19_2_004222AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D561E8 push esp; iretd	19_2_04D561E9
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D56AE1 push dword ptr [ebx]; iretd	19_2_04D56AEC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_09293DBD pushfd ; ret	19_2_09293DBE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_00CF2299 push ebx; ret	22_2_00CF22AB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A61E8 push esp; iretd	22_2_015A61E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A6AE1 push dword ptr [ebx]; iretd	22_2_015A6AEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05713DFB push esi; ret	22_2_05713DFC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B43DBD pushfd ; ret	22_2_09B43DBE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_003B2299 push ebx; ret	24_2_003B22AB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_026661E8 push esp; iretd	24_2_026661E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02666AE1 push dword ptr [ebx]; iretd	24_2_02666AEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F33DFB push esi; ret	24_2_04F33DFC

Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641
Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641
Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File created: C:\Users\user\AppData\Roaming\LYKZypsugb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Source: Yara match	File source: 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR

Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6288	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5316	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6348	Thread sleep time: -45733s >= -30000s
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6628	Thread sleep time: -45733s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5744	Thread sleep time: -45733s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7257	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1385	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: threadDelayed 5589	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: threadDelayed 3709	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: foregroundWindowGot 676	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5015

Windows Analysis Report U7Ncg7oAyC.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
U7Ncg7oAyC.exe

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 45733
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 45733
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 45733
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Memory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Memory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: U7Ncg7oAyC.exe, 00000006.00000002.519112571.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517682575.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517867375.0000000002B35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: U7Ncg7oAyC.exe, 00000006.00000002.521213475.000000000605C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerlT
Source: U7Ncg7oAyC.exe, 00000006.00000002.521628763.0000000006D7C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerlt
Source: U7Ncg7oAyC.exe, 00000006.00000002.517929378.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.518844326.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.519038098.0000000002E53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL@

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
102.89.42.162	fastspeed.ddnsfree.com	Nigeria		29465	VCG-ASNG	false
185.19.85.160	unknown	Switzerland		48971	DATAWIRE-ASCH	true

ID:	623790
Product:	CloudBasic
Start time:	20:24:16
Start date:	10.05.2022
Sample:	U7Ncg7oAyC.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:	7754eade48451776ab6109a0c584573780a4f531
SHA256:	26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1D2CA2D522F8F4E99609CF7E88E673B4	7754EADE48451776AB6109A0C584573780A4F531	26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U7Ncg7oAyC.exe.log	ASCII text, with CRLF line terminators	2E016B886BDB8389D2DD0867BE55F87B	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	2E016B886BDB8389D2DD0867BE55F87B	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	B48A3CB56D940D40899C82CB18349019	A81F5B80148B290F7B115B1862A6BF492754472B	456907D8FEC547A994094963214D6433096460E716734BC3F0565D0017A39CD8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ecs0lfa.ixf.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsigrkao.tom.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1m3l4aa.d5i.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5awvum2.yte.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mft4fmko.ytz.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw5wzcbh.lxx.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp43AF.tmp	XML 1.0 document, ASCII text	9EFD51689C727F20C031623471DE2F80	D482AE77FF2C56200AFF26D1F60F154EA3284424	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	2B43925FC06B18EE3393BA0ADD40BAAF	CAAA2EC5919286948F8261749881EC16F002F7AE	BC1F1A6129175A30B5AAB1BBA669B079FC6EEEA63932408B45360D7D17954CAD
C:\Users\user\AppData\Local\Temp\tmp7772.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp	XML 1.0 document, ASCII text	9EFD51689C727F20C031623471DE2F80	D482AE77FF2C56200AFF26D1F60F154EA3284424	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
C:\Users\user\AppData\Local\Temp\tmpE07C.tmp	XML 1.0 document, ASCII text	9EFD51689C727F20C031623471DE2F80	D482AE77FF2C56200AFF26D1F60F154EA3284424	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
C:\Users\user\AppData\Local\Temp\tmpFF8.tmp	XML 1.0 document, ASCII text	9EFD51689C727F20C031623471DE2F80	D482AE77FF2C56200AFF26D1F60F154EA3284424	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	E1A65AC335BAFC6F6B29C3045CC80746	910EDE448F0375017B38504D04238B88ECE7B665	39328DADE32C9C89241351CFF0BD948E101D8AACDD5DFB46AEC0B026A80138D3
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	B9253443357B989E29C7F2ABD211659E	62C23472EF297E9AD5885DA092E10632FE9A1255	9A1CC820F868A1592FB51E9FCFC659212799237AC0D601CDA4D14C2A856B0F94
C:\Users\user\AppData\Roaming\LYKZypsugb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1D2CA2D522F8F4E99609CF7E88E673B4	7754EADE48451776AB6109A0C584573780A4F531	26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
C:\Users\user\AppData\Roaming\LYKZypsugb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220510\PowerShell_transcript.116938.fI+kujIg.20220510202544.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B8023493ACFC7513D0B49AC20F2AB2DC	9BC3EA79060F4698CC039DCC51BBD1F27CFD337E	D7C6D92CC95D6E5BA2C61130C7ED8B40DA8015D47114BCD0FACCFFEAA6368FF2
C:\Users\user\Documents\20220510\PowerShell_transcript.116938.mceeeTGm.20220510202624.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	C4495982528CE031FA1A15D45CF20ABA	932D64C3C0B2FB6D311B2574D9D1A3D6B3E3AB0B	4BAE03386C9DEE4B2DE0E955E22871D88814AEE8A94189D9C323429C397B51DC
C:\Users\user\Documents\20220510\PowerShell_transcript.116938.t0abdEXe.20220510202615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	5B233F88C4CC3E2FDC7A7C2A28841E46	EAEBE12A987BDC0EF1E17349AD12C6578E404F8E	46B9CF88587AA3AC70A8BCFE4786B2BEF96982598C4F4A0122FCBBD23E2040A2