Edit tour

Windows Analysis Report
U7Ncg7oAyC.exe

Overview

General Information

Sample Name:	U7Ncg7oAyC.exe
Analysis ID:	623790
MD5:	1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:	7754eade48451776ab6109a0c584573780a4f531
SHA256:	26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Connects to many ports of the same IP (likely port scanning)

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

U7Ncg7oAyC.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\U7Ncg7oAyC.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

powershell.exe (PID: 6456 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6476 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U7Ncg7oAyC.exe (PID: 6752 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

schtasks.exe (PID: 4132 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4352 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U7Ncg7oAyC.exe (PID: 2860 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

powershell.exe (PID: 5684 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6168 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U7Ncg7oAyC.exe (PID: 6568 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

dhcpmon.exe (PID: 5308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

powershell.exe (PID: 6944 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 1556 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 640 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

dhcpmon.exe (PID: 5256 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

powershell.exe (PID: 6560 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4144 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6930f:$a: NanoCore 0x69368:$a: NanoCore 0x693a5:$a: NanoCore 0x6941e:$a: NanoCore 0x6ebd6:$a: NanoCore 0x6ec20:$a: NanoCore 0x6ee0a:$a: NanoCore 0x69371:$b: ClientPlugin 0x693ae:$b: ClientPlugin 0x69cac:$b: ClientPlugin 0x69cb9:$b: ClientPlugin 0x6e96f:$b: ClientPlugin 0x6ebdf:$b: ClientPlugin 0x6ec29:$b: ClientPlugin 0x6f141:$c: ProjectData 0x5cec8:$e: KeepAlive 0x697f9:$g: LogClientMessage 0x6f034:$g: LogClientMessage 0x69779:$i: get_Connected 0x5cf6b:$j: #=q 0x5cf9b:$j: #=q
00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x85ad:$a: NanoCore 0x8606:$a: NanoCore 0x8643:$a: NanoCore 0x86bc:$a: NanoCore 0xdc51:$a: NanoCore 0xdc9b:$a: NanoCore 0xde85:$a: NanoCore 0x217a4:$a: NanoCore 0x217b9:$a: NanoCore 0x217ee:$a: NanoCore 0x3a743:$a: NanoCore 0x3a758:$a: NanoCore 0x3a78d:$a: NanoCore 0x860f:$b: ClientPlugin 0x864c:$b: ClientPlugin 0x8f4a:$b: ClientPlugin 0x8f57:$b: ClientPlugin 0xd9ea:$b: ClientPlugin 0xdc5a:$b: ClientPlugin 0xdca4:$b: ClientPlugin 0x21560:$b: ClientPlugin
00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x6ecfe:$a: NanoCore 0x6ed48:$a: NanoCore 0x6ef32:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x6ea97:$b: ClientPlugin 0x6ed07:$b: ClientPlugin 0x6ed51:$b: ClientPlugin 0x6f269:$c: ProjectData 0x5cff0:$e: KeepAlive 0x69921:$g: LogClientMessage 0x6f15c:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5d093:$j: #=q 0x5d0c3:$j: #=q
00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x6ecfe:$a: NanoCore 0x6ed48:$a: NanoCore 0x6ef32:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x6ea97:$b: ClientPlugin 0x6ed07:$b: ClientPlugin 0x6ed51:$b: ClientPlugin 0x6f269:$c: ProjectData 0x5cff0:$e: KeepAlive 0x69921:$g: LogClientMessage 0x6f15c:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5d093:$j: #=q 0x5d0c3:$j: #=q
00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x485ad:$a: NanoCore 0x48606:$a: NanoCore 0x48643:$a: NanoCore 0x486bc:$a: NanoCore 0x4dc51:$a: NanoCore 0x4dc9b:$a: NanoCore 0x4de85:$a: NanoCore 0x617a4:$a: NanoCore 0x617b9:$a: NanoCore 0x617ee:$a: NanoCore 0x7a743:$a: NanoCore 0x7a758:$a: NanoCore 0x7a78d:$a: NanoCore 0x4860f:$b: ClientPlugin 0x4864c:$b: ClientPlugin 0x48f4a:$b: ClientPlugin 0x48f57:$b: ClientPlugin 0x4d9ea:$b: ClientPlugin 0x4dc5a:$b: ClientPlugin 0x4dca4:$b: ClientPlugin 0x61560:$b: ClientPlugin
00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x485ad:$a: NanoCore 0x48606:$a: NanoCore 0x48643:$a: NanoCore 0x486bc:$a: NanoCore 0x4dc51:$a: NanoCore 0x4dc9b:$a: NanoCore 0x4de85:$a: NanoCore 0x617a4:$a: NanoCore 0x617b9:$a: NanoCore 0x617ee:$a: NanoCore 0x7a743:$a: NanoCore 0x7a758:$a: NanoCore 0x7a78d:$a: NanoCore 0x4860f:$b: ClientPlugin 0x4864c:$b: ClientPlugin 0x48f4a:$b: ClientPlugin 0x48f57:$b: ClientPlugin 0x4d9ea:$b: ClientPlugin 0x4dc5a:$b: ClientPlugin 0x4dca4:$b: ClientPlugin 0x61560:$b: ClientPlugin
0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4763d:$x1: NanoCore.ClientPluginHost 0x7be5d:$x1: NanoCore.ClientPluginHost 0xb047d:$x1: NanoCore.ClientPluginHost 0x4767a:$x2: IClientNetworkHost 0x7be9a:$x2: IClientNetworkHost 0xb04ba:$x2: IClientNetworkHost 0x4b1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x473a5:$a: NanoCore 0x473b5:$a: NanoCore 0x475e9:$a: NanoCore 0x475fd:$a: NanoCore 0x4763d:$a: NanoCore 0x7bbc5:$a: NanoCore 0x7bbd5:$a: NanoCore 0x7be09:$a: NanoCore 0x7be1d:$a: NanoCore 0x7be5d:$a: NanoCore 0xb01e5:$a: NanoCore 0xb01f5:$a: NanoCore 0xb0429:$a: NanoCore 0xb043d:$a: NanoCore 0xb047d:$a: NanoCore 0x47404:$b: ClientPlugin 0x47606:$b: ClientPlugin 0x47646:$b: ClientPlugin 0x7bc24:$b: ClientPlugin 0x7be26:$b: ClientPlugin 0x7be66:$b: ClientPlugin
00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4763d:$x1: NanoCore.ClientPluginHost 0x7be5d:$x1: NanoCore.ClientPluginHost 0xb047d:$x1: NanoCore.ClientPluginHost 0x4767a:$x2: IClientNetworkHost 0x7be9a:$x2: IClientNetworkHost 0xb04ba:$x2: IClientNetworkHost 0x4b1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x473a5:$a: NanoCore 0x473b5:$a: NanoCore 0x475e9:$a: NanoCore 0x475fd:$a: NanoCore 0x4763d:$a: NanoCore 0x7bbc5:$a: NanoCore 0x7bbd5:$a: NanoCore 0x7be09:$a: NanoCore 0x7be1d:$a: NanoCore 0x7be5d:$a: NanoCore 0xb01e5:$a: NanoCore 0xb01f5:$a: NanoCore 0xb0429:$a: NanoCore 0xb043d:$a: NanoCore 0xb047d:$a: NanoCore 0x47404:$b: ClientPlugin 0x47606:$b: ClientPlugin 0x47646:$b: ClientPlugin 0x7bc24:$b: ClientPlugin 0x7be26:$b: ClientPlugin 0x7be66:$b: ClientPlugin
0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4763d:$x1: NanoCore.ClientPluginHost 0x7be5d:$x1: NanoCore.ClientPluginHost 0xb047d:$x1: NanoCore.ClientPluginHost 0x4767a:$x2: IClientNetworkHost 0x7be9a:$x2: IClientNetworkHost 0xb04ba:$x2: IClientNetworkHost 0x4b1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x473a5:$a: NanoCore 0x473b5:$a: NanoCore 0x475e9:$a: NanoCore 0x475fd:$a: NanoCore 0x4763d:$a: NanoCore 0x7bbc5:$a: NanoCore 0x7bbd5:$a: NanoCore 0x7be09:$a: NanoCore 0x7be1d:$a: NanoCore 0x7be5d:$a: NanoCore 0xb01e5:$a: NanoCore 0xb01f5:$a: NanoCore 0xb0429:$a: NanoCore 0xb043d:$a: NanoCore 0xb047d:$a: NanoCore 0x47404:$b: ClientPlugin 0x47606:$b: ClientPlugin 0x47646:$b: ClientPlugin 0x7bc24:$b: ClientPlugin 0x7be26:$b: ClientPlugin 0x7be66:$b: ClientPlugin
00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x485ad:$a: NanoCore 0x48606:$a: NanoCore 0x48643:$a: NanoCore 0x486bc:$a: NanoCore 0x4dc51:$a: NanoCore 0x4dc9b:$a: NanoCore 0x4de85:$a: NanoCore 0x617a4:$a: NanoCore 0x617b9:$a: NanoCore 0x617ee:$a: NanoCore 0x7a743:$a: NanoCore 0x7a758:$a: NanoCore 0x7a78d:$a: NanoCore 0x4860f:$b: ClientPlugin 0x4864c:$b: ClientPlugin 0x48f4a:$b: ClientPlugin 0x48f57:$b: ClientPlugin 0x4d9ea:$b: ClientPlugin 0x4dc5a:$b: ClientPlugin 0x4dca4:$b: ClientPlugin 0x61560:$b: ClientPlugin
00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4763d:$x1: NanoCore.ClientPluginHost 0x7be5d:$x1: NanoCore.ClientPluginHost 0xb047d:$x1: NanoCore.ClientPluginHost 0x4767a:$x2: IClientNetworkHost 0x7be9a:$x2: IClientNetworkHost 0xb04ba:$x2: IClientNetworkHost 0x4b1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x473a5:$a: NanoCore 0x473b5:$a: NanoCore 0x475e9:$a: NanoCore 0x475fd:$a: NanoCore 0x4763d:$a: NanoCore 0x7bbc5:$a: NanoCore 0x7bbd5:$a: NanoCore 0x7be09:$a: NanoCore 0x7be1d:$a: NanoCore 0x7be5d:$a: NanoCore 0xb01e5:$a: NanoCore 0xb01f5:$a: NanoCore 0xb0429:$a: NanoCore 0xb043d:$a: NanoCore 0xb047d:$a: NanoCore 0x47404:$b: ClientPlugin 0x47606:$b: ClientPlugin 0x47646:$b: ClientPlugin 0x7bc24:$b: ClientPlugin 0x7be26:$b: ClientPlugin 0x7be66:$b: ClientPlugin
Process Memory Space: U7Ncg7oAyC.exe PID: 6284	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbd898:$x1: NanoCore.ClientPluginHost 0xbd8d5:$x2: IClientNetworkHost 0xc13bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xcc43b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd8665:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe39f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: U7Ncg7oAyC.exe PID: 6284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 6284	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 6284	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbd565:$a: NanoCore 0xbd575:$a: NanoCore 0xbd634:$a: NanoCore 0xbd643:$a: NanoCore 0xbd844:$a: NanoCore 0xbd858:$a: NanoCore 0xbd898:$a: NanoCore 0xc8aa5:$a: NanoCore 0xc8ab7:$a: NanoCore 0xc8af3:$a: NanoCore 0xd4ccf:$a: NanoCore 0xd4ce1:$a: NanoCore 0xd4d1d:$a: NanoCore 0xe005f:$a: NanoCore 0xe0071:$a: NanoCore 0xe00ad:$a: NanoCore 0xbd5c4:$b: ClientPlugin 0xbd68d:$b: ClientPlugin 0xbd861:$b: ClientPlugin 0xbd8a1:$b: ClientPlugin 0xc8ac0:$b: ClientPlugin
Process Memory Space: U7Ncg7oAyC.exe PID: 6752	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x455b:$x1: NanoCore.ClientPluginHost 0x2ec16:$x1: NanoCore.ClientPluginHost 0x7f0fd:$x1: NanoCore.ClientPluginHost 0x4598:$x2: IClientNetworkHost 0x2ec30:$x2: IClientNetworkHost 0x7f117:$x2: IClientNetworkHost 0x8089:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1310f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: U7Ncg7oAyC.exe PID: 6752	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 6752	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4228:$a: NanoCore 0x4238:$a: NanoCore 0x42f7:$a: NanoCore 0x4306:$a: NanoCore 0x4507:$a: NanoCore 0x451b:$a: NanoCore 0x455b:$a: NanoCore 0xf779:$a: NanoCore 0xf78b:$a: NanoCore 0xf7c7:$a: NanoCore 0x2e864:$a: NanoCore 0x2eb80:$a: NanoCore 0x2ebd9:$a: NanoCore 0x2ec16:$a: NanoCore 0x2ec8f:$a: NanoCore 0x2f548:$a: NanoCore 0x2f59b:$a: NanoCore 0x2f5d4:$a: NanoCore 0x2f647:$a: NanoCore 0x303ff:$a: NanoCore 0x3087b:$a: NanoCore
Process Memory Space: U7Ncg7oAyC.exe PID: 2860	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6599e:$x1: NanoCore.ClientPluginHost 0x659db:$x2: IClientNetworkHost 0x694c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x74541:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8076b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8bc85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: U7Ncg7oAyC.exe PID: 2860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 2860	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 2860	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6566b:$a: NanoCore 0x6567b:$a: NanoCore 0x6573a:$a: NanoCore 0x65749:$a: NanoCore 0x6594a:$a: NanoCore 0x6595e:$a: NanoCore 0x6599e:$a: NanoCore 0x70bab:$a: NanoCore 0x70bbd:$a: NanoCore 0x70bf9:$a: NanoCore 0x7cdd5:$a: NanoCore 0x7cde7:$a: NanoCore 0x7ce23:$a: NanoCore 0x882ef:$a: NanoCore 0x88301:$a: NanoCore 0x8833d:$a: NanoCore 0x656ca:$b: ClientPlugin 0x65793:$b: ClientPlugin 0x65967:$b: ClientPlugin 0x659a7:$b: ClientPlugin 0x70bc6:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 5308	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7defc:$x1: NanoCore.ClientPluginHost 0x7df39:$x2: IClientNetworkHost 0x81a21:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8ca9f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x98cc9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa4059:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5308	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5308	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5308	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7dbc9:$a: NanoCore 0x7dbd9:$a: NanoCore 0x7dc98:$a: NanoCore 0x7dca7:$a: NanoCore 0x7dea8:$a: NanoCore 0x7debc:$a: NanoCore 0x7defc:$a: NanoCore 0x89109:$a: NanoCore 0x8911b:$a: NanoCore 0x89157:$a: NanoCore 0x95333:$a: NanoCore 0x95345:$a: NanoCore 0x95381:$a: NanoCore 0xa06c3:$a: NanoCore 0xa06d5:$a: NanoCore 0xa0711:$a: NanoCore 0x7dc28:$b: ClientPlugin 0x7dcf1:$b: ClientPlugin 0x7dec5:$b: ClientPlugin 0x7df05:$b: ClientPlugin 0x89124:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 5256	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x662b8:$x1: NanoCore.ClientPluginHost 0x662f5:$x2: IClientNetworkHost 0x69ddd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x74e5b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x81085:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8c59f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5256	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5256	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x65f85:$a: NanoCore 0x65f95:$a: NanoCore 0x66054:$a: NanoCore 0x66063:$a: NanoCore 0x66264:$a: NanoCore 0x66278:$a: NanoCore 0x662b8:$a: NanoCore 0x714c5:$a: NanoCore 0x714d7:$a: NanoCore 0x71513:$a: NanoCore 0x7d6ef:$a: NanoCore 0x7d701:$a: NanoCore 0x7d73d:$a: NanoCore 0x88c09:$a: NanoCore 0x88c1b:$a: NanoCore 0x88c57:$a: NanoCore 0x65fe4:$b: ClientPlugin 0x660ad:$b: ClientPlugin 0x66281:$b: ClientPlugin 0x662c1:$b: ClientPlugin 0x714e0:$b: ClientPlugin
Process Memory Space: U7Ncg7oAyC.exe PID: 6568	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1de60:$x1: NanoCore.ClientPluginHost 0x21b3e:$x1: NanoCore.ClientPluginHost 0x3a8fb:$x1: NanoCore.ClientPluginHost 0x1de7a:$x2: IClientNetworkHost 0x21b7b:$x2: IClientNetworkHost 0x3a915:$x2: IClientNetworkHost 0x2566c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x306f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: U7Ncg7oAyC.exe PID: 6568	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: U7Ncg7oAyC.exe PID: 6568	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x874c:$a: NanoCore 0x87a7:$a: NanoCore 0x881b:$a: NanoCore 0x1ddca:$a: NanoCore 0x1de23:$a: NanoCore 0x1de60:$a: NanoCore 0x1ded9:$a: NanoCore 0x1e667:$a: NanoCore 0x1e6ba:$a: NanoCore 0x1e6f3:$a: NanoCore 0x1e766:$a: NanoCore 0x1f3e0:$a: NanoCore 0x1f7f1:$a: NanoCore 0x1f837:$a: NanoCore 0x1f9fe:$a: NanoCore 0x20398:$a: NanoCore 0x2180b:$a: NanoCore 0x2181b:$a: NanoCore 0x218da:$a: NanoCore 0x218e9:$a: NanoCore 0x21aea:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 640	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9d16:$x1: NanoCore.ClientPluginHost 0x37d35:$x1: NanoCore.ClientPluginHost 0x3c33c:$x1: NanoCore.ClientPluginHost 0x9d53:$x2: IClientNetworkHost 0x37d4f:$x2: IClientNetworkHost 0x3c356:$x2: IClientNetworkHost 0xd844:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x188ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 640	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 640	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x99e3:$a: NanoCore 0x99f3:$a: NanoCore 0x9ab2:$a: NanoCore 0x9ac1:$a: NanoCore 0x9cc2:$a: NanoCore 0x9cd6:$a: NanoCore 0x9d16:$a: NanoCore 0x14f34:$a: NanoCore 0x14f46:$a: NanoCore 0x14f82:$a: NanoCore 0x20033:$a: NanoCore 0x226e3:$a: NanoCore 0x2273e:$a: NanoCore 0x227b2:$a: NanoCore 0x37c9f:$a: NanoCore 0x37cf8:$a: NanoCore 0x37d35:$a: NanoCore 0x37dae:$a: NanoCore 0x3853c:$a: NanoCore 0x3858f:$a: NanoCore 0x385c8:$a: NanoCore
Click to see the 121 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.dhcpmon.exe.43a9e90.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x467ad:$x1: NanoCore.ClientPluginHost 0x7afcd:$x1: NanoCore.ClientPluginHost 0xaf5ed:$x1: NanoCore.ClientPluginHost 0x467ea:$x2: IClientNetworkHost 0x7b00a:$x2: IClientNetworkHost 0xaf62a:$x2: IClientNetworkHost 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.43a9e90.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.43a9e90.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46515:$x1: NanoCore Client 0x46525:$x1: NanoCore Client 0x7ad35:$x1: NanoCore Client 0x7ad45:$x1: NanoCore Client 0xaf355:$x1: NanoCore Client 0xaf365:$x1: NanoCore Client 0x4676d:$x2: NanoCore.ClientPlugin 0x7af8d:$x2: NanoCore.ClientPlugin 0xaf5ad:$x2: NanoCore.ClientPlugin 0x467ad:$x3: NanoCore.ClientPluginHost 0x7afcd:$x3: NanoCore.ClientPluginHost 0xaf5ed:$x3: NanoCore.ClientPluginHost 0x46762:$i1: IClientApp 0x7af82:$i1: IClientApp 0xaf5a2:$i1: IClientApp 0x46783:$i2: IClientData 0x7afa3:$i2: IClientData 0xaf5c3:$i2: IClientData 0x4678f:$i3: IClientNetwork 0x7afaf:$i3: IClientNetwork 0xaf5cf:$i3: IClientNetwork
24.2.dhcpmon.exe.43a9e90.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46515:$a: NanoCore 0x46525:$a: NanoCore 0x46759:$a: NanoCore 0x4676d:$a: NanoCore 0x467ad:$a: NanoCore 0x7ad35:$a: NanoCore 0x7ad45:$a: NanoCore 0x7af79:$a: NanoCore 0x7af8d:$a: NanoCore 0x7afcd:$a: NanoCore 0xaf355:$a: NanoCore 0xaf365:$a: NanoCore 0xaf599:$a: NanoCore 0xaf5ad:$a: NanoCore 0xaf5ed:$a: NanoCore 0x46574:$b: ClientPlugin 0x46776:$b: ClientPlugin 0x467b6:$b: ClientPlugin 0x7ad94:$b: ClientPlugin 0x7af96:$b: ClientPlugin 0x7afd6:$b: ClientPlugin
30.2.U7Ncg7oAyC.exe.433b041.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
30.2.U7Ncg7oAyC.exe.433b041.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.433b041.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.U7Ncg7oAyC.exe.433b041.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
34.2.dhcpmon.exe.3f3560b.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f3560b.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f3560b.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f3560b.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x151ae:$x2: NanoCore.ClientPlugin 0x2e14d:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x151e3:$x3: NanoCore.ClientPluginHost 0x2e182:$x3: NanoCore.ClientPluginHost 0x151a2:$i2: IClientData 0x2e141:$i2: IClientData 0x16a6:$i3: IClientNetwork 0x151c4:$i3: IClientNetwork 0x2e163:$i3: IClientNetwork 0x151d3:$i5: IClientDataHost 0x2e172:$i5: IClientDataHost 0x1660:$i6: IClientLoggingHost 0x151fd:$i6: IClientLoggingHost 0x2e19c:$i6: IClientLoggingHost 0x15210:$i7: IClientNetworkHost 0x2e1af:$i7: IClientNetworkHost 0x15223:$i8: IClientUIHost 0x2e1c2:$i8: IClientUIHost 0x15231:$i9: IClientNameObjectCollection
34.2.dhcpmon.exe.3f3560b.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x449ad:$x1: NanoCore.ClientPluginHost 0x78fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x449ea:$x2: IClientNetworkHost 0x7900a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44715:$x1: NanoCore Client 0x44725:$x1: NanoCore Client 0x78d35:$x1: NanoCore Client 0x78d45:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4496d:$x2: NanoCore.ClientPlugin 0x78f8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x449ad:$x3: NanoCore.ClientPluginHost 0x78fcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44962:$i1: IClientApp 0x78f82:$i1: IClientApp 0x10163:$i2: IClientData 0x44983:$i2: IClientData 0x78fa3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4498f:$i3: IClientNetwork 0x78faf:$i3: IClientNetwork
19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44715:$a: NanoCore 0x44725:$a: NanoCore 0x44959:$a: NanoCore 0x4496d:$a: NanoCore 0x449ad:$a: NanoCore 0x78d35:$a: NanoCore 0x78d45:$a: NanoCore 0x78f79:$a: NanoCore 0x78f8d:$a: NanoCore 0x78fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44774:$b: ClientPlugin 0x44976:$b: ClientPlugin 0x449b6:$b: ClientPlugin
30.0.U7Ncg7oAyC.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.0.U7Ncg7oAyC.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.0.U7Ncg7oAyC.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.0.U7Ncg7oAyC.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.0.U7Ncg7oAyC.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x66a6:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x66a6:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6784:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x66c0:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x66f0:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x66a6:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x6706:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x66c0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x643f:$s1: ClientPlugin 0x66f9:$s1: ClientPlugin
34.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.0.dhcpmon.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.0.dhcpmon.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.0.dhcpmon.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.dhcpmon.exe.4dd04b0.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.4dd04b0.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.4dd04b0.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4dd04b0.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
22.2.dhcpmon.exe.4dd04b0.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.0.U7Ncg7oAyC.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.U7Ncg7oAyC.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.U7Ncg7oAyC.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.U7Ncg7oAyC.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.0.U7Ncg7oAyC.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.2.U7Ncg7oAyC.exe.3349530.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x42a6:$x1: NanoCore.ClientPluginHost
30.2.U7Ncg7oAyC.exe.3349530.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x42a6:$x2: NanoCore.ClientPluginHost 0x4384:$s4: PipeCreated 0x42c0:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.3349530.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x42f0:$x2: NanoCore.ClientPlugin 0x42a6:$x3: NanoCore.ClientPluginHost 0x4306:$i3: IClientNetwork 0x42c0:$i6: IClientLoggingHost 0x403f:$s1: ClientPlugin 0x42f9:$s1: ClientPlugin
6.0.U7Ncg7oAyC.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.U7Ncg7oAyC.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.U7Ncg7oAyC.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.U7Ncg7oAyC.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.0.U7Ncg7oAyC.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28717:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x2874c:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x2870b:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2872d:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x2873c:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28766:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28779:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x2878c:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x2879a:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287b6:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
24.2.dhcpmon.exe.4414cd0.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.4414cd0.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
24.2.dhcpmon.exe.4414cd0.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.4414cd0.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
24.2.dhcpmon.exe.4414cd0.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
6.0.U7Ncg7oAyC.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.U7Ncg7oAyC.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.U7Ncg7oAyC.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.U7Ncg7oAyC.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.0.U7Ncg7oAyC.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.0.U7Ncg7oAyC.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.0.U7Ncg7oAyC.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.0.U7Ncg7oAyC.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.0.U7Ncg7oAyC.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.0.U7Ncg7oAyC.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.0.U7Ncg7oAyC.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.U7Ncg7oAyC.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.U7Ncg7oAyC.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.U7Ncg7oAyC.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.0.U7Ncg7oAyC.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
34.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.0.dhcpmon.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.0.dhcpmon.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.0.dhcpmon.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
34.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.0.U7Ncg7oAyC.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.0.U7Ncg7oAyC.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.0.U7Ncg7oAyC.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.0.U7Ncg7oAyC.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.0.U7Ncg7oAyC.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
22.2.dhcpmon.exe.4d99e90.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x467ad:$x1: NanoCore.ClientPluginHost 0x7afcd:$x1: NanoCore.ClientPluginHost 0xaf5ed:$x1: NanoCore.ClientPluginHost 0x467ea:$x2: IClientNetworkHost 0x7b00a:$x2: IClientNetworkHost 0xaf62a:$x2: IClientNetworkHost 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.4d99e90.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4d99e90.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46515:$x1: NanoCore Client 0x46525:$x1: NanoCore Client 0x7ad35:$x1: NanoCore Client 0x7ad45:$x1: NanoCore Client 0xaf355:$x1: NanoCore Client 0xaf365:$x1: NanoCore Client 0x4676d:$x2: NanoCore.ClientPlugin 0x7af8d:$x2: NanoCore.ClientPlugin 0xaf5ad:$x2: NanoCore.ClientPlugin 0x467ad:$x3: NanoCore.ClientPluginHost 0x7afcd:$x3: NanoCore.ClientPluginHost 0xaf5ed:$x3: NanoCore.ClientPluginHost 0x46762:$i1: IClientApp 0x7af82:$i1: IClientApp 0xaf5a2:$i1: IClientApp 0x46783:$i2: IClientData 0x7afa3:$i2: IClientData 0xaf5c3:$i2: IClientData 0x4678f:$i3: IClientNetwork 0x7afaf:$i3: IClientNetwork 0xaf5cf:$i3: IClientNetwork
22.2.dhcpmon.exe.4d99e90.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46515:$a: NanoCore 0x46525:$a: NanoCore 0x46759:$a: NanoCore 0x4676d:$a: NanoCore 0x467ad:$a: NanoCore 0x7ad35:$a: NanoCore 0x7ad45:$a: NanoCore 0x7af79:$a: NanoCore 0x7af8d:$a: NanoCore 0x7afcd:$a: NanoCore 0xaf355:$a: NanoCore 0xaf365:$a: NanoCore 0xaf599:$a: NanoCore 0xaf5ad:$a: NanoCore 0xaf5ed:$a: NanoCore 0x46574:$b: ClientPlugin 0x46776:$b: ClientPlugin 0x467b6:$b: ClientPlugin 0x7ad94:$b: ClientPlugin 0x7af96:$b: ClientPlugin 0x7afd6:$b: ClientPlugin
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x64a6:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x64a6:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6584:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64c0:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64f0:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x64a6:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x6506:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x64c0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x623f:$s1: ClientPlugin 0x64f9:$s1: ClientPlugin
0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x449ad:$x1: NanoCore.ClientPluginHost 0x78fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x449ea:$x2: IClientNetworkHost 0x7900a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44715:$x1: NanoCore Client 0x44725:$x1: NanoCore Client 0x78d35:$x1: NanoCore Client 0x78d45:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4496d:$x2: NanoCore.ClientPlugin 0x78f8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x449ad:$x3: NanoCore.ClientPluginHost 0x78fcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44962:$i1: IClientApp 0x78f82:$i1: IClientApp 0x10163:$i2: IClientData 0x44983:$i2: IClientData 0x78fa3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4498f:$i3: IClientNetwork 0x78faf:$i3: IClientNetwork
0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44715:$a: NanoCore 0x44725:$a: NanoCore 0x44959:$a: NanoCore 0x4496d:$a: NanoCore 0x449ad:$a: NanoCore 0x78d35:$a: NanoCore 0x78d45:$a: NanoCore 0x78f79:$a: NanoCore 0x78f8d:$a: NanoCore 0x78fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44774:$b: ClientPlugin 0x44976:$b: ClientPlugin 0x449b6:$b: ClientPlugin
34.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.0.dhcpmon.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.0.dhcpmon.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.0.dhcpmon.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.dhcpmon.exe.43e04b0.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x449ad:$x1: NanoCore.ClientPluginHost 0x78fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x449ea:$x2: IClientNetworkHost 0x7900a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.43e04b0.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.43e04b0.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44715:$x1: NanoCore Client 0x44725:$x1: NanoCore Client 0x78d35:$x1: NanoCore Client 0x78d45:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4496d:$x2: NanoCore.ClientPlugin 0x78f8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x449ad:$x3: NanoCore.ClientPluginHost 0x78fcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44962:$i1: IClientApp 0x78f82:$i1: IClientApp 0x10163:$i2: IClientData 0x44983:$i2: IClientData 0x78fa3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4498f:$i3: IClientNetwork 0x78faf:$i3: IClientNetwork
24.2.dhcpmon.exe.43e04b0.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44715:$a: NanoCore 0x44725:$a: NanoCore 0x44959:$a: NanoCore 0x4496d:$a: NanoCore 0x449ad:$a: NanoCore 0x78d35:$a: NanoCore 0x78d45:$a: NanoCore 0x78f79:$a: NanoCore 0x78f8d:$a: NanoCore 0x78fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44774:$b: ClientPlugin 0x44976:$b: ClientPlugin 0x449b6:$b: ClientPlugin
30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
22.2.dhcpmon.exe.4e04cd0.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x447ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x447ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.4e04cd0.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x44525:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x447ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x45de6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x45dda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x46c8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ca42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x447d7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.4e04cd0.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4e04cd0.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44515:$x1: NanoCore Client 0x44525:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4476d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x447ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44762:$i1: IClientApp 0x10163:$i2: IClientData 0x44783:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4478f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4479e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x447c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x447d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
22.2.dhcpmon.exe.4e04cd0.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44515:$a: NanoCore 0x44525:$a: NanoCore 0x44759:$a: NanoCore 0x4476d:$a: NanoCore 0x447ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44574:$b: ClientPlugin 0x44776:$b: ClientPlugin 0x447b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4469b:$c: ProjectData 0x10a82:$d: DESCrypto 0x450a2:$d: DESCrypto 0x1844e:$e: KeepAlive
34.2.dhcpmon.exe.3f307ce.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
34.2.dhcpmon.exe.3f307ce.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f307ce.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40cd:$x2: NanoCore.ClientPlugin 0x4083:$x3: NanoCore.ClientPluginHost 0x40e3:$i3: IClientNetwork 0x409d:$i6: IClientLoggingHost 0x3e1c:$s1: ClientPlugin 0x40d6:$s1: ClientPlugin
19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x447ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x447ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x44525:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x447ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x45de6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x45dda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x46c8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ca42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x447d7:$s5: IClientLoggingHost
19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44515:$x1: NanoCore Client 0x44525:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4476d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x447ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44762:$i1: IClientApp 0x10163:$i2: IClientData 0x44783:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4478f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4479e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x447c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x447d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44515:$a: NanoCore 0x44525:$a: NanoCore 0x44759:$a: NanoCore 0x4476d:$a: NanoCore 0x447ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44574:$b: ClientPlugin 0x44776:$b: ClientPlugin 0x447b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4469b:$c: ProjectData 0x10a82:$d: DESCrypto 0x450a2:$d: DESCrypto 0x1844e:$e: KeepAlive
34.2.dhcpmon.exe.2f49658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x66a6:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
34.2.dhcpmon.exe.2f49658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x66a6:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6784:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x66c0:$s5: IClientLoggingHost
34.2.dhcpmon.exe.2f49658.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x66f0:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x66a6:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x6706:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x66c0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x643f:$s1: ClientPlugin 0x66f9:$s1: ClientPlugin
34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x467ad:$x1: NanoCore.ClientPluginHost 0x7afcd:$x1: NanoCore.ClientPluginHost 0xaf5ed:$x1: NanoCore.ClientPluginHost 0x467ea:$x2: IClientNetworkHost 0x7b00a:$x2: IClientNetworkHost 0xaf62a:$x2: IClientNetworkHost 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46515:$x1: NanoCore Client 0x46525:$x1: NanoCore Client 0x7ad35:$x1: NanoCore Client 0x7ad45:$x1: NanoCore Client 0xaf355:$x1: NanoCore Client 0xaf365:$x1: NanoCore Client 0x4676d:$x2: NanoCore.ClientPlugin 0x7af8d:$x2: NanoCore.ClientPlugin 0xaf5ad:$x2: NanoCore.ClientPlugin 0x467ad:$x3: NanoCore.ClientPluginHost 0x7afcd:$x3: NanoCore.ClientPluginHost 0xaf5ed:$x3: NanoCore.ClientPluginHost 0x46762:$i1: IClientApp 0x7af82:$i1: IClientApp 0xaf5a2:$i1: IClientApp 0x46783:$i2: IClientData 0x7afa3:$i2: IClientData 0xaf5c3:$i2: IClientData 0x4678f:$i3: IClientNetwork 0x7afaf:$i3: IClientNetwork 0xaf5cf:$i3: IClientNetwork
0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46515:$a: NanoCore 0x46525:$a: NanoCore 0x46759:$a: NanoCore 0x4676d:$a: NanoCore 0x467ad:$a: NanoCore 0x7ad35:$a: NanoCore 0x7ad45:$a: NanoCore 0x7af79:$a: NanoCore 0x7af8d:$a: NanoCore 0x7afcd:$a: NanoCore 0xaf355:$a: NanoCore 0xaf365:$a: NanoCore 0xaf599:$a: NanoCore 0xaf5ad:$a: NanoCore 0xaf5ed:$a: NanoCore 0x46574:$b: ClientPlugin 0x46776:$b: ClientPlugin 0x467b6:$b: ClientPlugin 0x7ad94:$b: ClientPlugin 0x7af96:$b: ClientPlugin 0x7afd6:$b: ClientPlugin
30.2.U7Ncg7oAyC.exe.43307ce.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
30.2.U7Ncg7oAyC.exe.43307ce.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.43307ce.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40cd:$x2: NanoCore.ClientPlugin 0x4083:$x3: NanoCore.ClientPluginHost 0x40e3:$i3: IClientNetwork 0x409d:$i6: IClientLoggingHost 0x3e1c:$s1: ClientPlugin 0x40d6:$s1: ClientPlugin
6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
34.2.dhcpmon.exe.3f3b041.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f3b041.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f3b041.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f3b041.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28717:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x2874c:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x2870b:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2872d:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x2873c:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28766:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28779:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x2878c:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x2879a:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287b6:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
30.0.U7Ncg7oAyC.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.0.U7Ncg7oAyC.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.0.U7Ncg7oAyC.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.0.U7Ncg7oAyC.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.0.U7Ncg7oAyC.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x40a6:$x1: NanoCore.ClientPluginHost
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x40a6:$x2: NanoCore.ClientPluginHost 0x4184:$s4: PipeCreated 0x40c0:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40f0:$x2: NanoCore.ClientPlugin 0x40a6:$x3: NanoCore.ClientPluginHost 0x4106:$i3: IClientNetwork 0x40c0:$i6: IClientLoggingHost 0x3e3f:$s1: ClientPlugin 0x40f9:$s1: ClientPlugin
6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
6.2.U7Ncg7oAyC.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.U7Ncg7oAyC.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.2.U7Ncg7oAyC.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.0.U7Ncg7oAyC.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.U7Ncg7oAyC.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.U7Ncg7oAyC.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.U7Ncg7oAyC.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.0.U7Ncg7oAyC.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x151ae:$x2: NanoCore.ClientPlugin 0x2e14d:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x151e3:$x3: NanoCore.ClientPluginHost 0x2e182:$x3: NanoCore.ClientPluginHost 0x151a2:$i2: IClientData 0x2e141:$i2: IClientData 0x16a6:$i3: IClientNetwork 0x151c4:$i3: IClientNetwork 0x2e163:$i3: IClientNetwork 0x151d3:$i5: IClientDataHost 0x2e172:$i5: IClientDataHost 0x1660:$i6: IClientLoggingHost 0x151fd:$i6: IClientLoggingHost 0x2e19c:$i6: IClientLoggingHost 0x15210:$i7: IClientNetworkHost 0x2e1af:$i7: IClientNetworkHost 0x15223:$i8: IClientUIHost 0x2e1c2:$i8: IClientUIHost 0x15231:$i9: IClientNameObjectCollection
30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64cd:$x2: NanoCore.ClientPlugin 0x19feb:$x2: NanoCore.ClientPlugin 0x32f8a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x6483:$x3: NanoCore.ClientPluginHost 0x1a020:$x3: NanoCore.ClientPluginHost 0x32fbf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x19fdf:$i2: IClientData 0x32f7e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x64e3:$i3: IClientNetwork 0x1a001:$i3: IClientNetwork 0x32fa0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x1a010:$i5: IClientDataHost 0x32faf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28717:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x2874c:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x2870b:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2872d:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x2873c:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28766:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28779:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x2878c:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x2879a:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287b6:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
34.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.0.dhcpmon.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.0.dhcpmon.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.0.dhcpmon.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40cd:$x2: NanoCore.ClientPlugin 0x4083:$x3: NanoCore.ClientPluginHost 0x40e3:$i3: IClientNetwork 0x409d:$i6: IClientLoggingHost 0x3e1c:$s1: ClientPlugin 0x40d6:$s1: ClientPlugin
0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x447ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x447ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x44525:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x447ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x45de6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x45dda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x46c8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ca42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x447d7:$s5: IClientLoggingHost
0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44515:$x1: NanoCore Client 0x44525:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4476d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x447ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44762:$i1: IClientApp 0x10163:$i2: IClientData 0x44783:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4478f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4479e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x447c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x447d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44515:$a: NanoCore 0x44525:$a: NanoCore 0x44759:$a: NanoCore 0x4476d:$a: NanoCore 0x447ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44574:$b: ClientPlugin 0x44776:$b: ClientPlugin 0x447b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4469b:$c: ProjectData 0x10a82:$d: DESCrypto 0x450a2:$d: DESCrypto 0x1844e:$e: KeepAlive
30.0.U7Ncg7oAyC.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.0.U7Ncg7oAyC.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.0.U7Ncg7oAyC.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.0.U7Ncg7oAyC.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.0.U7Ncg7oAyC.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.dhcpmon.exe.4e04cd0.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.4e04cd0.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.4e04cd0.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4e04cd0.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
22.2.dhcpmon.exe.4e04cd0.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.dhcpmon.exe.43e04b0.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.43e04b0.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
24.2.dhcpmon.exe.43e04b0.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.43e04b0.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
24.2.dhcpmon.exe.43e04b0.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.dhcpmon.exe.4414cd0.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x447ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x447ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.4414cd0.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x44525:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x447ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x45de6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x45dda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x46c8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ca42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x447d7:$s5: IClientLoggingHost
24.2.dhcpmon.exe.4414cd0.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.4414cd0.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44515:$x1: NanoCore Client 0x44525:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4476d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x447ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44762:$i1: IClientApp 0x10163:$i2: IClientData 0x44783:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4478f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4479e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x447c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x447d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
24.2.dhcpmon.exe.4414cd0.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44515:$a: NanoCore 0x44525:$a: NanoCore 0x44759:$a: NanoCore 0x4476d:$a: NanoCore 0x447ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44574:$b: ClientPlugin 0x44776:$b: ClientPlugin 0x447b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4469b:$c: ProjectData 0x10a82:$d: DESCrypto 0x450a2:$d: DESCrypto 0x1844e:$e: KeepAlive
30.2.U7Ncg7oAyC.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.2.U7Ncg7oAyC.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.U7Ncg7oAyC.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
30.2.U7Ncg7oAyC.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.U7Ncg7oAyC.exe.3aab041.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.3aab041.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aab041.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.3aab041.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
34.2.dhcpmon.exe.3f3b041.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f3b041.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f3b041.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f3b041.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
19.2.U7Ncg7oAyC.exe.44104b0.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.U7Ncg7oAyC.exe.44104b0.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.U7Ncg7oAyC.exe.44104b0.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.U7Ncg7oAyC.exe.44104b0.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
19.2.U7Ncg7oAyC.exe.44104b0.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
34.2.dhcpmon.exe.2f49658.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x42a6:$x1: NanoCore.ClientPluginHost
34.2.dhcpmon.exe.2f49658.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x42a6:$x2: NanoCore.ClientPluginHost 0x4384:$s4: PipeCreated 0x42c0:$s5: IClientLoggingHost
34.2.dhcpmon.exe.2f49658.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x42f0:$x2: NanoCore.ClientPlugin 0x42a6:$x3: NanoCore.ClientPluginHost 0x4306:$i3: IClientNetwork 0x42c0:$i6: IClientLoggingHost 0x403f:$s1: ClientPlugin 0x42f9:$s1: ClientPlugin
34.2.dhcpmon.exe.3f307ce.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f307ce.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f307ce.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f307ce.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64cd:$x2: NanoCore.ClientPlugin 0x19feb:$x2: NanoCore.ClientPlugin 0x32f8a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x6483:$x3: NanoCore.ClientPluginHost 0x1a020:$x3: NanoCore.ClientPluginHost 0x32fbf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x19fdf:$i2: IClientData 0x32f7e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x64e3:$i3: IClientNetwork 0x1a001:$i3: IClientNetwork 0x32fa0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x1a010:$i5: IClientDataHost 0x32faf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost
34.2.dhcpmon.exe.3f307ce.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x467ad:$x1: NanoCore.ClientPluginHost 0x7afcd:$x1: NanoCore.ClientPluginHost 0xaf5ed:$x1: NanoCore.ClientPluginHost 0x467ea:$x2: IClientNetworkHost 0x7b00a:$x2: IClientNetworkHost 0xaf62a:$x2: IClientNetworkHost 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46515:$x1: NanoCore Client 0x46525:$x1: NanoCore Client 0x7ad35:$x1: NanoCore Client 0x7ad45:$x1: NanoCore Client 0xaf355:$x1: NanoCore Client 0xaf365:$x1: NanoCore Client 0x4676d:$x2: NanoCore.ClientPlugin 0x7af8d:$x2: NanoCore.ClientPlugin 0xaf5ad:$x2: NanoCore.ClientPlugin 0x467ad:$x3: NanoCore.ClientPluginHost 0x7afcd:$x3: NanoCore.ClientPluginHost 0xaf5ed:$x3: NanoCore.ClientPluginHost 0x46762:$i1: IClientApp 0x7af82:$i1: IClientApp 0xaf5a2:$i1: IClientApp 0x46783:$i2: IClientData 0x7afa3:$i2: IClientData 0xaf5c3:$i2: IClientData 0x4678f:$i3: IClientNetwork 0x7afaf:$i3: IClientNetwork 0xaf5cf:$i3: IClientNetwork
19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46515:$a: NanoCore 0x46525:$a: NanoCore 0x46759:$a: NanoCore 0x4676d:$a: NanoCore 0x467ad:$a: NanoCore 0x7ad35:$a: NanoCore 0x7ad45:$a: NanoCore 0x7af79:$a: NanoCore 0x7af8d:$a: NanoCore 0x7afcd:$a: NanoCore 0xaf355:$a: NanoCore 0xaf365:$a: NanoCore 0xaf599:$a: NanoCore 0xaf5ad:$a: NanoCore 0xaf5ed:$a: NanoCore 0x46574:$b: ClientPlugin 0x46776:$b: ClientPlugin 0x467b6:$b: ClientPlugin 0x7ad94:$b: ClientPlugin 0x7af96:$b: ClientPlugin 0x7afd6:$b: ClientPlugin
6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x151ae:$x2: NanoCore.ClientPlugin 0x2e14d:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x151e3:$x3: NanoCore.ClientPluginHost 0x2e182:$x3: NanoCore.ClientPluginHost 0x151a2:$i2: IClientData 0x2e141:$i2: IClientData 0x16a6:$i3: IClientNetwork 0x151c4:$i3: IClientNetwork 0x2e163:$i3: IClientNetwork 0x151d3:$i5: IClientDataHost 0x2e172:$i5: IClientDataHost 0x1660:$i6: IClientLoggingHost 0x151fd:$i6: IClientLoggingHost 0x2e19c:$i6: IClientLoggingHost 0x15210:$i7: IClientNetworkHost 0x2e1af:$i7: IClientNetworkHost 0x15223:$i8: IClientUIHost 0x2e1c2:$i8: IClientUIHost 0x15231:$i9: IClientNameObjectCollection
6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64cd:$x2: NanoCore.ClientPlugin 0x19feb:$x2: NanoCore.ClientPlugin 0x32f8a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x6483:$x3: NanoCore.ClientPluginHost 0x1a020:$x3: NanoCore.ClientPluginHost 0x32fbf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x19fdf:$i2: IClientData 0x32f7e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x64e3:$i3: IClientNetwork 0x1a001:$i3: IClientNetwork 0x32fa0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x1a010:$i5: IClientDataHost 0x32faf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost
30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
34.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.0.dhcpmon.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.0.dhcpmon.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
34.0.dhcpmon.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.dhcpmon.exe.4dd04b0.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x449ad:$x1: NanoCore.ClientPluginHost 0x78fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x449ea:$x2: IClientNetworkHost 0x7900a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.4dd04b0.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4dd04b0.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44715:$x1: NanoCore Client 0x44725:$x1: NanoCore Client 0x78d35:$x1: NanoCore Client 0x78d45:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4496d:$x2: NanoCore.ClientPlugin 0x78f8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x449ad:$x3: NanoCore.ClientPluginHost 0x78fcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44962:$i1: IClientApp 0x78f82:$i1: IClientApp 0x10163:$i2: IClientData 0x44983:$i2: IClientData 0x78fa3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4498f:$i3: IClientNetwork 0x78faf:$i3: IClientNetwork
22.2.dhcpmon.exe.4dd04b0.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44715:$a: NanoCore 0x44725:$a: NanoCore 0x44959:$a: NanoCore 0x4496d:$a: NanoCore 0x449ad:$a: NanoCore 0x78d35:$a: NanoCore 0x78d45:$a: NanoCore 0x78f79:$a: NanoCore 0x78f8d:$a: NanoCore 0x78fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44774:$b: ClientPlugin 0x44976:$b: ClientPlugin 0x449b6:$b: ClientPlugin
Click to see the 285 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: U7Ncg7oAyC.exe	Virustotal: Detection: 43%			Perma Link
Source: U7Ncg7oAyC.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exe	ReversingLabs: Detection: 63%

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Machine Learning detection for sample

Source: U7Ncg7oAyC.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 24.2.dhcpmon.exe.3b0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.U7Ncg7oAyC.exe.420000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 34.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.dhcpmon.exe.cf0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 34.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	Avira: Label: TR/NanoCore.fadte

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack

Source: U7Ncg7oAyC.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: U7Ncg7oAyC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_07E04F40
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04F40
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then xor edx, edx	19_2_07E04E78
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_07E04AB0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_07E04F3B
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04F3B
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then xor edx, edx	19_2_07E04E6C
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_07E04C20
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04C20
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_07E04C14
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_07E04C14
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_07E04AA7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	24_2_04E194D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	24_2_04E17B3C

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 102.89.42.162 ports 54761,1,4,5,6,7
Source: global traffic	TCP traffic: 185.19.85.160 ports 54761,1,4,5,6,7

Source: global traffic	TCP traffic: 192.168.2.4:49763 -> 102.89.42.162:54761
Source: global traffic	TCP traffic: 192.168.2.4:49778 -> 185.19.85.160:54761

Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.19.85.160

Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: fastspeed.ddnsfree.com

Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: U7Ncg7oAyC.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D720E8	0_2_02D720E8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73040	0_2_02D73040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70470	0_2_02D70470
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D7B558	0_2_02D7B558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70FE8	0_2_02D70FE8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75340	0_2_02D75340
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75330	0_2_02D75330
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75138	0_2_02D75138
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75128	0_2_02D75128
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75738	0_2_02D75738
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75558	0_2_02D75558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D75568	0_2_02D75568
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D74A90	0_2_02D74A90
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D74A81	0_2_02D74A81
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D71BF8	0_2_02D71BF8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73ED0	0_2_02D73ED0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D73EC1	0_2_02D73EC1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D70F3F	0_2_02D70F3F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D72F39	0_2_02D72F39
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D9770	0_2_054D9770
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D0040	0_2_054D0040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D0006	0_2_054D0006
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C90040	0_2_09C90040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C9003E	0_2_09C9003E
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283E480	6_2_0283E480
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283E471	6_2_0283E471
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_0283BBD4	6_2_0283BBD4
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_062A03F0	6_2_062A03F0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50470	19_2_04D50470
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D5B558	19_2_04D5B558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D520E8	19_2_04D520E8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53040	19_2_04D53040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50FE8	19_2_04D50FE8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55558	19_2_04D55558
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55568	19_2_04D55568
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55738	19_2_04D55738
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55138	19_2_04D55138
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55128	19_2_04D55128
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55340	19_2_04D55340
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D55330	19_2_04D55330
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53ED0	19_2_04D53ED0
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D53EC1	19_2_04D53EC1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D50F3F	19_2_04D50F3F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D52F39	19_2_04D52F39
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D54A90	19_2_04D54A90
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D54A81	19_2_04D54A81
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D51BF8	19_2_04D51BF8
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0C080	19_2_07E0C080
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E00040	19_2_07E00040
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0BC58	19_2_07E0BC58
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E05620	19_2_07E05620
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0561F	19_2_07E0561F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0C07F	19_2_07E0C07F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_07E0BC49	19_2_07E0BC49
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_0929003F	19_2_0929003F
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_09290040	19_2_09290040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3040	22_2_015A3040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A20F8	22_2_015A20F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015AB558	22_2_015AB558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0480	22_2_015A0480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0FE8	22_2_015A0FE8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5138	22_2_015A5138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5128	22_2_015A5128
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3018	22_2_015A3018
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A20E8	22_2_015A20E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5340	22_2_015A5340
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5330	22_2_015A5330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5558	22_2_015A5558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5568	22_2_015A5568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0470	22_2_015A0470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5748	22_2_015A5748
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A5738	22_2_015A5738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A1BF8	22_2_015A1BF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4A90	22_2_015A4A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4A81	22_2_015A4A81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A4DA2	22_2_015A4DA2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A1C08	22_2_015A1C08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A0F3F	22_2_015A0F3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A2FEC	22_2_015A2FEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3ED0	22_2_015A3ED0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A3EC2	22_2_015A3EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05710040	22_2_05710040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05710007	22_2_05710007
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B4003E	22_2_09B4003E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B40040	22_2_09B40040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663040	24_2_02663040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_026620E8	24_2_026620E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660470	24_2_02660470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_0266B558	24_2_0266B558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660FE8	24_2_02660FE8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665340	24_2_02665340
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665330	24_2_02665330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663017	24_2_02663017
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665128	24_2_02665128
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665138	24_2_02665138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665738	24_2_02665738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665568	24_2_02665568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02665558	24_2_02665558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02664A81	24_2_02664A81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02664A90	24_2_02664A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02661BF8	24_2_02661BF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663EC1	24_2_02663EC1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02663ED0	24_2_02663ED0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02660F3F	24_2_02660F3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02662FEB	24_2_02662FEB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E149F4	24_2_04E149F4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E16A21	24_2_04E16A21
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04E16A30	24_2_04E16A30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F30040	24_2_04F30040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F30006	24_2_04F30006

Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.309699383.0000000004715000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.311185791.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.305800240.0000000000C24000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000000.246905121.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000003.269472442.0000000009BA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000000.00000002.313988013.00000000098D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000000.298268399.0000000000522000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe	Binary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.382607982.00000000004C4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000000.317398335.0000000000422000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.393603690.0000000004035000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 00000013.00000002.411649755.0000000004830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000000.374097639.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe

Source: U7Ncg7oAyC.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LYKZypsugb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: U7Ncg7oAyC.exe	Virustotal: Detection: 43%
Source: U7Ncg7oAyC.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File read: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Jump to behavior

Source: U7Ncg7oAyC.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe "C:\Users\user\Desktop\U7Ncg7oAyC.exe"
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
Source: unknown	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File created: C:\Users\user\AppData\Roaming\LYKZypsugb.exe

Jump to behavior

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File created: C:\Users\user\AppData\Local\Temp\tmp43AF.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@42/24@4/2

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b3a6f9ad-fdc4-4025-8d68-cc0f37771046}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: U7Ncg7oAyC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: U7Ncg7oAyC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Unpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Unpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

.NET source code contains potential unpacker

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_00B82299 push ebx; ret	0_2_00B822AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D761E8 push esp; iretd	0_2_02D761E9
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_02D76AE1 push dword ptr [ebx]; iretd	0_2_02D76AEC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_054D3DFB push esi; ret	0_2_054D3DFC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 0_2_09C93DBD pushfd ; ret	0_2_09C93DBE
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 6_2_00522299 push ebx; ret	6_2_005222AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_00422299 push ebx; ret	19_2_004222AB
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D561E8 push esp; iretd	19_2_04D561E9
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_04D56AE1 push dword ptr [ebx]; iretd	19_2_04D56AEC
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Code function: 19_2_09293DBD pushfd ; ret	19_2_09293DBE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_00CF2299 push ebx; ret	22_2_00CF22AB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A61E8 push esp; iretd	22_2_015A61E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_015A6AE1 push dword ptr [ebx]; iretd	22_2_015A6AEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_05713DFB push esi; ret	22_2_05713DFC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_09B43DBD pushfd ; ret	22_2_09B43DBE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_003B2299 push ebx; ret	24_2_003B22AB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_026661E8 push esp; iretd	24_2_026661E9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_02666AE1 push dword ptr [ebx]; iretd	24_2_02666AEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_04F33DFB push esi; ret	24_2_04F33DFC

Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641
Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641
Source: initial sample	Static PE information: section name: .text entropy: 7.75508986641

Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File created: C:\Users\user\AppData\Roaming\LYKZypsugb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

File opened: C:\Users\user\Desktop\U7Ncg7oAyC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6288	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5316	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6348	Thread sleep time: -45733s >= -30000s
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6628	Thread sleep time: -45733s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5744	Thread sleep time: -45733s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7257	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1385	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: threadDelayed 5589	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: threadDelayed 3709	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Window / User API: foregroundWindowGot 676	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5015

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 45733
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 45733
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 45733
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Memory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Memory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Process created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: U7Ncg7oAyC.exe, 00000006.00000002.519112571.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517682575.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517867375.0000000002B35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: U7Ncg7oAyC.exe, 00000006.00000002.521213475.000000000605C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerlT
Source: U7Ncg7oAyC.exe, 00000006.00000002.521628763.0000000006D7C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerlt
Source: U7Ncg7oAyC.exe, 00000006.00000002.517929378.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.518844326.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.519038098.0000000002E53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL@

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: U7Ncg7oAyC.exe, 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: U7Ncg7oAyC.exe, 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: U7Ncg7oAyC.exe, 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	33 Software Packing	Proc Filesystem	12 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
U7Ncg7oAyC.exe	43%	Virustotal		Browse
U7Ncg7oAyC.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
U7Ncg7oAyC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\LYKZypsugb.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\LYKZypsugb.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
24.2.dhcpmon.exe.3b0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
30.0.U7Ncg7oAyC.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
34.0.dhcpmon.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.U7Ncg7oAyC.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
34.0.dhcpmon.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.U7Ncg7oAyC.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.U7Ncg7oAyC.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.0.U7Ncg7oAyC.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.U7Ncg7oAyC.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
34.0.dhcpmon.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.2.U7Ncg7oAyC.exe.420000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
30.0.U7Ncg7oAyC.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
34.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.0.U7Ncg7oAyC.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.U7Ncg7oAyC.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.U7Ncg7oAyC.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.U7Ncg7oAyC.exe.b80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
34.0.dhcpmon.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.0.U7Ncg7oAyC.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
22.2.dhcpmon.exe.cf0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
30.2.U7Ncg7oAyC.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
34.0.dhcpmon.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.U7Ncg7oAyC.exe.52c0000.10.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fastspeed.ddnsfree.com	102.89.42.162	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
102.89.42.162	fastspeed.ddnsfree.com	Nigeria		29465	VCG-ASNG	false
185.19.85.160	unknown	Switzerland		48971	DATAWIRE-ASCH	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623790
Start date and time: 10/05/202220:24:16	2022-05-10 20:24:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	U7Ncg7oAyC.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@42/24@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.9% (good quality ratio 1.4%) Quality average: 45.6% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 84% Number of executed functions: 145 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing behavior and disassembly information.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:25:34	API Interceptor	683x Sleep call for process: U7Ncg7oAyC.exe modified
20:25:47	API Interceptor	117x Sleep call for process: powershell.exe modified
20:25:58	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\U7Ncg7oAyC.exe" s>$(Arg0)
20:26:00	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
20:26:02	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
20:26:11	API Interceptor	4x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	7.74828321522851
Encrypted:	false
SSDEEP:	12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
MD5:	1D2CA2D522F8F4E99609CF7E88E673B4
SHA1:	7754EADE48451776AB6109A0C584573780A4F531
SHA-256:	26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
SHA-512:	427A23DFE919BC0EA067D8641829DD767DF8E68A8639E17583F3E52168E69F6CBE434B6155F807418036CEF81B62FD4F605A7EA648474B3FAA7F5C46C0E6E615
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@..................................7..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H...........t_...........p..pg..........................................2......d.m......0......nx..zm.f...m3 ....3..!..TS......7..(^.XE..d..SM..z.Rl.....\.8,....k..<...)<..:/..vA..U}..Wvf.F..Y.#.....\|..H..7..-..;OM..`&..vQ..!k.Jn.l..?A..HUk#....6.J&.w....}...."h.,..A?=.k...k..ej...F.6.X2YT&.8e. W&..x.u.........\|;.h......p.]..D.s$~r8).......f..U#..f)...n.-..=..3.... #:M[nK{.........8.[.c!).7Y(Y.+..B...]..o....\|>..e....d..-.d..A..:.*..&..j......O.T.9.sQ..7..#{

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U7Ncg7oAyC.exe.log

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22088
Entropy (8bit):	5.603576278487026
Encrypted:	false
SSDEEP:	384:/tCDSq0G3IwPko0Rb1RwSBKnkjultIU4ptQCvHg3hIn0ML+2fmAV7l/DvyZQvnIS:sIAkokM4KkCltHQKA66/Kqp0+x
MD5:	B48A3CB56D940D40899C82CB18349019
SHA1:	A81F5B80148B290F7B115B1862A6BF492754472B
SHA-256:	456907D8FEC547A994094963214D6433096460E716734BC3F0565D0017A39CD8
SHA-512:	3DF1CE0167928C518BC5E7957944FEA3D79021F7B2A672AF5E16AE8622E003D99AD78591471C3FBEFC7121075ABA22948A13B2C91C1DB486FEC1B3AF6129AB07
Malicious:	false
Reputation:	unknown
Preview:	@...e...........K.......{...........n...'.[..........@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ecs0lfa.ixf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsigrkao.tom.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1m3l4aa.d5i.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5awvum2.yte.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mft4fmko.ytz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw5wzcbh.lxx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp43AF.tmp

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.144122461061698
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	9EFD51689C727F20C031623471DE2F80
SHA1:	D482AE77FF2C56200AFF26D1F60F154EA3284424
SHA-256:	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
SHA-512:	6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.1120026128474345
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yaxtn:cbk4oL600QydbQxIYODOLedq3Wj
MD5:	2B43925FC06B18EE3393BA0ADD40BAAF
SHA1:	CAAA2EC5919286948F8261749881EC16F002F7AE
SHA-256:	BC1F1A6129175A30B5AAB1BBA669B079FC6EEEA63932408B45360D7D17954CAD
SHA-512:	A219269E021E58E60B8ADDF2944D4704DEB13E6C83DAB93559982673D2DF7279B6DDE6C6EB2528DF5B893144679DD16132B0B366C327A7E7D34EC3163084B8B5
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp7772.tmp

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.144122461061698
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	9EFD51689C727F20C031623471DE2F80
SHA1:	D482AE77FF2C56200AFF26D1F60F154EA3284424
SHA-256:	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
SHA-512:	6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpE07C.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.144122461061698
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	9EFD51689C727F20C031623471DE2F80
SHA1:	D482AE77FF2C56200AFF26D1F60F154EA3284424
SHA-256:	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
SHA-512:	6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpFF8.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.144122461061698
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	9EFD51689C727F20C031623471DE2F80
SHA1:	D482AE77FF2C56200AFF26D1F60F154EA3284424
SHA-256:	48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
SHA-512:	6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:0SF:0o
MD5:	E1A65AC335BAFC6F6B29C3045CC80746
SHA1:	910EDE448F0375017B38504D04238B88ECE7B665
SHA-256:	39328DADE32C9C89241351CFF0BD948E101D8AACDD5DFB46AEC0B026A80138D3
SHA-512:	96FE761F46A325A48E2564669484741994EFFDE25F65F18F392D8BD4E18C1F6105DF7B7F846F572A524AFFEFF8EB83312B165700B67E2EEC77791F5C9E8F81F0
Malicious:	true
Reputation:	unknown
Preview:	.....2.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.17257423112624
Encrypted:	false
SSDEEP:	3:oNt+WfWwYHKN:oNwvwpN
MD5:	B9253443357B989E29C7F2ABD211659E
SHA1:	62C23472EF297E9AD5885DA092E10632FE9A1255
SHA-256:	9A1CC820F868A1592FB51E9FCFC659212799237AC0D601CDA4D14C2A856B0F94
SHA-512:	758C0362AD1D81B8C976079C1C1C2EFF65EA2E7966C75ACFB7ADF745F047DF07FDE309E62850E9A9F6499349D387FB48FF08FF97943B2AF8EA31AE26FC08318D
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\U7Ncg7oAyC.exe

C:\Users\user\AppData\Roaming\LYKZypsugb.exe

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	7.74828321522851
Encrypted:	false
SSDEEP:	12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
MD5:	1D2CA2D522F8F4E99609CF7E88E673B4
SHA1:	7754EADE48451776AB6109A0C584573780A4F531
SHA-256:	26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
SHA-512:	427A23DFE919BC0EA067D8641829DD767DF8E68A8639E17583F3E52168E69F6CBE434B6155F807418036CEF81B62FD4F605A7EA648474B3FAA7F5C46C0E6E615
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@..................................7..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H...........t_...........p..pg..........................................2......d.m......0......nx..zm.f...m3 ....3..!..TS......7..(^.XE..d..SM..z.Rl.....\.8,....k..<...)<..:/..vA..U}..Wvf.F..Y.#.....\|..H..7..-..;OM..`&..vQ..!k.Jn.l..?A..HUk#....6.J&.w....}...."h.,..A?=.k...k..ej...F.6.X2YT&.8e. W&..x.u.........\|;.h......p.]..D.s$~r8).......f..U#..f)...n.-..=..3.... #:M[nK{.........8.[.c!).7Y(Y.+..B...]..o....\|>..e....d..-.d..A..:.*..&..j......O.T.9.sQ..7..#{

C:\Users\user\AppData\Roaming\LYKZypsugb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220510\PowerShell_transcript.116938.fI+kujIg.20220510202544.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5789
Entropy (8bit):	5.414955622850825
Encrypted:	false
SSDEEP:	96:BZKjSNnqDo1ZOZpjSNnqDo1ZGEi8jZ2jSNnqDo1ZWhMMGZJ:1
MD5:	B8023493ACFC7513D0B49AC20F2AB2DC
SHA1:	9BC3EA79060F4698CC039DCC51BBD1F27CFD337E
SHA-256:	D7C6D92CC95D6E5BA2C61130C7ED8B40DA8015D47114BCD0FACCFFEAA6368FF2
SHA-512:	927559E2A182AAB36373159E60E4AD97157AD28FC2A46ED8E2DCBEB73B9A35D71C80C690BC5DA6E4DA4348662C57CD7D0CBF1D884270CFB2A5BA7BEF61E36CB0
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220510202547..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 6456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220510202547..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..********************..Windows PowerShell transcript start..Start time: 20220510202940..Username: computer\user..RunAs User: computer\jone

C:\Users\user\Documents\20220510\PowerShell_transcript.116938.mceeeTGm.20220510202624.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5789
Entropy (8bit):	5.41591529611037
Encrypted:	false
SSDEEP:	96:BZ2jSNXqDo1ZyZhjSNXqDo1ZCEi8jZ7jSNXqDo1ZFhMMFZ+:R
MD5:	C4495982528CE031FA1A15D45CF20ABA
SHA1:	932D64C3C0B2FB6D311B2574D9D1A3D6B3E3AB0B
SHA-256:	4BAE03386C9DEE4B2DE0E955E22871D88814AEE8A94189D9C323429C397B51DC
SHA-512:	E4AFB126DB67E8858BC346BFE550099A8AFB2B3812F8CF8E96B9B8FD907C4655ABF856B39053BB723F9B516FBFAEED8FA71415A0855A607072F3B9117C0DC93D
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220510202626..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 6944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220510202626..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..********************..Windows PowerShell transcript start..Start time: 20220510203015..Username: computer\user..RunAs User: computer\jone

C:\Users\user\Documents\20220510\PowerShell_transcript.116938.t0abdEXe.20220510202615.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5789
Entropy (8bit):	5.417413913822655
Encrypted:	false
SSDEEP:	96:BZ6jSNp3qDo1ZaZJjSNp3qDo1ZzEi8jZfjSNp3qDo1ZhhMM8Z/:A
MD5:	5B233F88C4CC3E2FDC7A7C2A28841E46
SHA1:	EAEBE12A987BDC0EF1E17349AD12C6578E404F8E
SHA-256:	46B9CF88587AA3AC70A8BCFE4786B2BEF96982598C4F4A0122FCBBD23E2040A2
SHA-512:	5E10920CE9093116FE0F1BBDCE4179248D1CC234D05E769558A1A0AA056019DF5EA3F00628D9DEC649C63B446D1F52D110EDA6C68D8C0CE912AC0D3C31AABEC5
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220510202617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 5684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220510202617..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..********************..Windows PowerShell transcript start..Start time: 20220510202852..Username: computer\user..RunAs User: computer\jone

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.74828321522851
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	U7Ncg7oAyC.exe
File size:	664064
MD5:	1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:	7754eade48451776ab6109a0c584573780a4f531
SHA256:	26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
SHA512:	427a23dfe919bc0ea067d8641829dd767df8e68a8639e17583f3e52168e69f6cbe434b6155f807418036cef81b62fd4f605a7ea648474b3faa7f5c46c0e6e615
SSDEEP:	12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
TLSH:	AFE49D9C765075EFC867CC76CAA82C64EA6064BB430BE207902725EDDE0D99BCF151F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4a37de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627883BD [Mon May 9 03:00:13 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3784	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa17e4	0xa1800	False	0.859081728909	data	7.75508986641	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x600	0x600	False	0.430989583333	data	4.19396571799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa40a0	0x374	data
RT_MANIFEST	0xa4414	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2014
Assembly Version	1.0.0.0
InternalName	ContractArgumentValidatorAttrib.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Oversikt
ProductVersion	1.0.0.0
FileDescription	Oversikt
OriginalFilename	ContractArgumentValidatorAttrib.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 20:26:05.844319105 CEST	49763	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:08.957075119 CEST	49763	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:15.051246881 CEST	49763	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:31.738562107 CEST	49767	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:34.914781094 CEST	49767	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:40.912978888 CEST	49767	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:26:57.675729990 CEST	49770	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:00.867829084 CEST	49770	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:06.883775949 CEST	49770	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:07.024118900 CEST	54761	49770	102.89.42.162	192.168.2.4
May 10, 2022 20:27:07.024276972 CEST	49770	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:09.033850908 CEST	49770	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:13.099729061 CEST	49778	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:13.117367029 CEST	54761	49778	185.19.85.160	192.168.2.4
May 10, 2022 20:27:13.618872881 CEST	49778	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:13.639410019 CEST	54761	49778	185.19.85.160	192.168.2.4
May 10, 2022 20:27:14.150048971 CEST	49778	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:14.172974110 CEST	54761	49778	185.19.85.160	192.168.2.4
May 10, 2022 20:27:18.277035952 CEST	49779	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:18.312689066 CEST	54761	49779	185.19.85.160	192.168.2.4
May 10, 2022 20:27:18.916165113 CEST	49779	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:18.950690031 CEST	54761	49779	185.19.85.160	192.168.2.4
May 10, 2022 20:27:19.525528908 CEST	49779	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:19.543219090 CEST	54761	49779	185.19.85.160	192.168.2.4
May 10, 2022 20:27:23.558701038 CEST	49781	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:23.581326008 CEST	54761	49781	185.19.85.160	192.168.2.4
May 10, 2022 20:27:24.197825909 CEST	49781	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:24.215622902 CEST	54761	49781	185.19.85.160	192.168.2.4
May 10, 2022 20:27:24.807208061 CEST	49781	54761	192.168.2.4	185.19.85.160
May 10, 2022 20:27:24.824640036 CEST	54761	49781	185.19.85.160	192.168.2.4
May 10, 2022 20:27:29.035579920 CEST	49782	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:32.042187929 CEST	49782	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:32.183749914 CEST	54761	49782	102.89.42.162	192.168.2.4
May 10, 2022 20:27:32.185914993 CEST	49782	54761	192.168.2.4	102.89.42.162
May 10, 2022 20:27:38.745908976 CEST	49782	54761	192.168.2.4	102.89.42.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 20:26:05.667190075 CEST	56076	53	192.168.2.4	8.8.8.8
May 10, 2022 20:26:05.832842112 CEST	53	56076	8.8.8.8	192.168.2.4
May 10, 2022 20:26:31.565943956 CEST	60647	53	192.168.2.4	8.8.8.8
May 10, 2022 20:26:31.736644983 CEST	53	60647	8.8.8.8	192.168.2.4
May 10, 2022 20:26:57.445472956 CEST	64909	53	192.168.2.4	8.8.8.8
May 10, 2022 20:26:57.582832098 CEST	53	64909	8.8.8.8	192.168.2.4
May 10, 2022 20:27:28.897432089 CEST	56509	53	192.168.2.4	8.8.8.8
May 10, 2022 20:27:29.034096956 CEST	53	56509	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 10, 2022 20:26:05.667190075 CEST	192.168.2.4	8.8.8.8	0xef43	Standard query (0)	fastspeed.ddnsfree.com	A (IP address)	IN (0x0001)
May 10, 2022 20:26:31.565943956 CEST	192.168.2.4	8.8.8.8	0xf54b	Standard query (0)	fastspeed.ddnsfree.com	A (IP address)	IN (0x0001)
May 10, 2022 20:26:57.445472956 CEST	192.168.2.4	8.8.8.8	0x243a	Standard query (0)	fastspeed.ddnsfree.com	A (IP address)	IN (0x0001)
May 10, 2022 20:27:28.897432089 CEST	192.168.2.4	8.8.8.8	0xb410	Standard query (0)	fastspeed.ddnsfree.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 10, 2022 20:26:05.832842112 CEST	8.8.8.8	192.168.2.4	0xef43	No error (0)	fastspeed.ddnsfree.com	102.89.42.162	A (IP address)	IN (0x0001)
May 10, 2022 20:26:31.736644983 CEST	8.8.8.8	192.168.2.4	0xf54b	No error (0)	fastspeed.ddnsfree.com	102.89.42.162	A (IP address)	IN (0x0001)
May 10, 2022 20:26:57.582832098 CEST	8.8.8.8	192.168.2.4	0x243a	No error (0)	fastspeed.ddnsfree.com	102.89.42.162	A (IP address)	IN (0x0001)
May 10, 2022 20:27:29.034096956 CEST	8.8.8.8	192.168.2.4	0xb410	No error (0)	fastspeed.ddnsfree.com	102.89.42.162	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	20:25:25
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\U7Ncg7oAyC.exe"
Imagebase:	0xb80000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	20:25:38
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Imagebase:	0xc00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	20:25:39
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	20:25:39
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	20:25:45
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	20:25:48
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Imagebase:	0x520000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	16
Start time:	20:25:55
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	20:25:56
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	20:25:58
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	20:25:58
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U7Ncg7oAyC.exe 0
Imagebase:	0x420000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	21
Start time:	20:25:59
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	22
Start time:	20:26:03
Start date:	10/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xcf0000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	24
Start time:	20:26:09
Start date:	10/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x3b0000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	25
Start time:	20:26:13
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Imagebase:	0xc00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	26
Start time:	20:26:14
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	27
Start time:	20:26:14
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	20:26:16
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	29
Start time:	20:26:18
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
Imagebase:	0xc00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	30
Start time:	20:26:19
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U7Ncg7oAyC.exe
Imagebase:	0xd10000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Show Windows behavior

Target ID:	31
Start time:	20:26:19
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	32
Start time:	20:26:20
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	33
Start time:	20:26:24
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	34
Start time:	20:26:28
Start date:	10/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xaa0000
File size:	664064 bytes
MD5 hash:	1D2CA2D522F8F4E99609CF7E88E673B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	1

Executed Functions

Function 02D73040 Relevance: 7.8, Strings: 6, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@c,, xrefs: 02D732D1
5)}, xrefs: 02D733C2
5LK,, xrefs: 02D733AA
5LK,, xrefs: 02D733A3
Kp8, xrefs: 02D73243
xaw5, xrefs: 02D73194

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: 5LK,$5LK,$D@c,$Kp8$xaw5$5)}
API String ID: 0-1743555949
Opcode ID: 51d251a1625d3679267b13cf1cc5849b1a145487538f7438fd70ac86004d050e
Instruction ID: eaecc7078eed4e0c9b63c3c4390fe7fe639652c48684d6b2dac0f7b283e946b3
Opcode Fuzzy Hash: 51d251a1625d3679267b13cf1cc5849b1a145487538f7438fd70ac86004d050e
Instruction Fuzzy Hash: 0AC13AB0D0420ADFCB54CFA5C4848AEFBB2FF89300B649599D516A7314E738EA46DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02D72F39 Relevance: 6.6, Strings: 5, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@c,, xrefs: 02D732D1
5)}, xrefs: 02D733C2
5LK,, xrefs: 02D733AA
Kp8, xrefs: 02D73243
xaw5, xrefs: 02D73194

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: 5LK,$D@c,$Kp8$xaw5$5)}
API String ID: 0-3835910141
Opcode ID: 7586c0bd547b937b5244c20ea4c86ba2baf958ae20c0c266a7ea6e7ba9418513
Instruction ID: 85639d49d727975715b22566aaeecd9acc8c285fdae20ff9e0408154a919301c
Opcode Fuzzy Hash: 7586c0bd547b937b5244c20ea4c86ba2baf958ae20c0c266a7ea6e7ba9418513
Instruction Fuzzy Hash: 34F17A70E1424ADFCB45CFA5C4954EEFBB2FF89340B1485AAC841A7305E739A94ADF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D70470 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;7r, xrefs: 02D70544

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: ;7r
API String ID: 0-1660951293
Opcode ID: f72753b9c073687a35d825a3cfe979f7d863866c1bf2f55508bcc8445a66b524
Instruction ID: 68b718a7009aa2b2c6fff175c86d720221002ad5e60857faf069eb0eaf58eaeb
Opcode Fuzzy Hash: f72753b9c073687a35d825a3cfe979f7d863866c1bf2f55508bcc8445a66b524
Instruction Fuzzy Hash: 8131D671E056189FEB58CFABD8406DEFBF3ABC8301F14C1BAD508A6264EB3509468F11

Uniqueness

Uniqueness Score: -1.00%

Function 054D9770 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311533295.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac299cb88214612d6fb146129ade94c8d43117606d4a314e7b959636047fd4c2
Instruction ID: ba7bf0ab07ac33c9f9ff632981f7069fc69466ad458c3219723a155892f55fa5
Opcode Fuzzy Hash: ac299cb88214612d6fb146129ade94c8d43117606d4a314e7b959636047fd4c2
Instruction Fuzzy Hash: 72C1BA71B046449FDB29EB76C460BABB3E6BFC9604F1444AED246CB394DB35E901CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02D70F3F Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b819384a83d214f38e875115128e7a7475c98d553b0da3d3b518085d4e8604eb
Instruction ID: ab499c68ab0237e51d20a199cc3e63ddf6a2aa8c713504ad7d42eb08ad2fec11
Opcode Fuzzy Hash: b819384a83d214f38e875115128e7a7475c98d553b0da3d3b518085d4e8604eb
Instruction Fuzzy Hash: 96A13974E052888FCB04CFA9C8956EDBBF2EF89310F14816AD849BB355D735A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D70FE8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cb42d75191c272f7a426aca3f8df3609c89b7549363f9bde58e7d03f1b0bff
Instruction ID: 6098871a38839869bda0b3dd2f30fa4e35a16efbb26a46200a83d8d51e1f50db
Opcode Fuzzy Hash: c9cb42d75191c272f7a426aca3f8df3609c89b7549363f9bde58e7d03f1b0bff
Instruction Fuzzy Hash: 4681B174E012198FCB08CFA9C984AAEFBB2FF89300F24852AD519BB354E7359945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02D7B558 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421ca85a24010da5fc6e9ae525c2a32b0b8d253b0e0765e0600b01d71e6e046e
Instruction ID: c3b9a6ca04ce2b2acf57d164d93f043a4f29bb617313fcaaac1693baffc54656
Opcode Fuzzy Hash: 421ca85a24010da5fc6e9ae525c2a32b0b8d253b0e0765e0600b01d71e6e046e
Instruction Fuzzy Hash: BB512774E042099FDB08DFA5D8445AEFBB2FF89314F14846AD416AB364EB389D41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D720E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d3aced5b3e599ba8a378f8c73adf516085fefedd69f17dd69bc8c16db39c72
Instruction ID: d63a2ced95e620796501311bbc776aeac94fc0772b4bd855aee586fe95eaf170
Opcode Fuzzy Hash: 24d3aced5b3e599ba8a378f8c73adf516085fefedd69f17dd69bc8c16db39c72
Instruction Fuzzy Hash: 6C310871E006588BDB18CFAAD8446DEFBF7BFC9310F14C16AD909A6259DB340946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09C98418 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09C986DF

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2fa721c4a56dadb115a40a25eaf45ad816276bcefeb8eb4cc1b26ffcf2a93f8
Instruction ID: bf626a97959cfa15c237c1811d5f2f4b3bcc2d200837ff6c70a0cffdf16578e1
Opcode Fuzzy Hash: c2fa721c4a56dadb115a40a25eaf45ad816276bcefeb8eb4cc1b26ffcf2a93f8
Instruction Fuzzy Hash: 95C13671D142298FDF20CFA4D844BEEBBB1BF5A304F0095A9E509B7240DB749A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02D7BC88 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D7D5F9

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 583dd60adb2c19ed96f7f236dc3ffabf6bf47f70bb4f3b76aa38ef666e5e40b8
Instruction ID: 9068834cf0fe4336dcd7702ea8d2601b4e996bc95de4f28def63a90d2b53714b
Opcode Fuzzy Hash: 583dd60adb2c19ed96f7f236dc3ffabf6bf47f70bb4f3b76aa38ef666e5e40b8
Instruction Fuzzy Hash: C95104B1D0421C8FDB20DFA4C840BCEBBB5BF55308F1180A9D609AB251EB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09C98000 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C980D3

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 71b044bcf67b4d10fe60f421140fbbbf1926e5ef671ee123075b06079a8d8110
Instruction ID: 0472d61897bedb194be8e3df65e5e735ea7772c26ba47cea1fcef90daa1ad16a
Opcode Fuzzy Hash: 71b044bcf67b4d10fe60f421140fbbbf1926e5ef671ee123075b06079a8d8110
Instruction Fuzzy Hash: 7C41A8B5D052589FCF00CFA9D984AEEFBF1BB49314F14942AE818BB200D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C98188 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C9823A

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e32cc9479e72c73a51c1204b6b2dabf94c286ec339117d8c34793c83a4efde5d
Instruction ID: 5da28137d997a0ca38cc781d912b6462b5971fff209197ced460346625459ec1
Opcode Fuzzy Hash: e32cc9479e72c73a51c1204b6b2dabf94c286ec339117d8c34793c83a4efde5d
Instruction Fuzzy Hash: B241C8B5D042589FCF00CFAAD884AEEFBB1BF19310F14942AE914B7200C735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C97EB0 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09C97F5A

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b54c84c0572497a1f08c76f53c93d32df0a2f53d50b6bbdd6e54a5fdd4434c2
Instruction ID: 142b0b8597401ea753dbda7b51673d8798e58f088a3772186c3991fb085f6150
Opcode Fuzzy Hash: 9b54c84c0572497a1f08c76f53c93d32df0a2f53d50b6bbdd6e54a5fdd4434c2
Instruction Fuzzy Hash: 1631A8B9D042589FCF10CFA9E984ADEFBB1BB59310F14942AE815BB300D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02D77E18 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D77EC7

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 75173493062d67a93e2e8a5dbd42dc725e16d281d2658401fff110e0d3c1583a
Instruction ID: 772d6b5cfecfb14a8ef3c71ddd0b9e634aefa692c97f9687b4268f8037b76d5e
Opcode Fuzzy Hash: 75173493062d67a93e2e8a5dbd42dc725e16d281d2658401fff110e0d3c1583a
Instruction Fuzzy Hash: 4731A6B9D002189FCF10CFA9E584AEEFBB0BB19310F14942AE814BB310D375A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02D77E20 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D77EC7

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a97fdcb84ae32d0144e4b194072c66280ab8f6d1dec1a1df79de48ccdf3f77c2
Instruction ID: f347cd064b53c223f49d11c0175d881fd21307df641a182948d2d488c36c4283
Opcode Fuzzy Hash: a97fdcb84ae32d0144e4b194072c66280ab8f6d1dec1a1df79de48ccdf3f77c2
Instruction Fuzzy Hash: 513198B9D042589FCF10CFA9E584AEEFBB0BB19310F14942AE814B7310D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C97CC8 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09C97D77

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: faa89818084baaf1cf11f0cefac94e6eb6c8fbf53c415fe0d8f1ce54f42420b8
Instruction ID: a4ad71fa54afb2a76ba07d6e0a98795f5e488c00ba0d8bfb706928188558dc9f
Opcode Fuzzy Hash: faa89818084baaf1cf11f0cefac94e6eb6c8fbf53c415fe0d8f1ce54f42420b8
Instruction Fuzzy Hash: 1031BCB5D112589FDF10CFA9D884AEEBBF1BF48314F14842AE414B7240D738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 054D8250 Relevance: 1.6, APIs: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 054D89CB

Memory Dump Source

Source File: 00000000.00000002.311533295.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_U7Ncg7oAyC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ae65a92f85e35b1edf9bfbd6c3c080cd9c9a77f602e5d88c38235105a4a501a
Instruction ID: 9e7f7bb1067566e2e5fe71f7cdbd26a76c03e5c0d336edda0098c2cf88bf4bde
Opcode Fuzzy Hash: 7ae65a92f85e35b1edf9bfbd6c3c080cd9c9a77f602e5d88c38235105a4a501a
Instruction Fuzzy Hash: 593186B9D04258AFCB10CFA9E484ADEFBF4AB19314F14906AE814BB310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09C97BA8 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 09C97C26

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4a8aadcfbb88ee4ab85ebe3f74806773f6f924df49f39c4f6b9525f544aacf58
Instruction ID: ff3cdc28a082c3b8ec314bf14616f1e4717a1220427379fb774097470ab85e22
Opcode Fuzzy Hash: 4a8aadcfbb88ee4ab85ebe3f74806773f6f924df49f39c4f6b9525f544aacf58
Instruction Fuzzy Hash: 2A31C9B4D152189FCF10CFA9E984A9EFBB4AB48314F14842AE814B7300C734A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 013ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306321453.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0399683460228f7aff952f666d6d213f5c463e1207cae100648f5945b0ff3d5
Instruction ID: 20d5be02d17acf3e2a2f0fc027153e2456c0e372d61aacd5324cd854b446859c
Opcode Fuzzy Hash: e0399683460228f7aff952f666d6d213f5c463e1207cae100648f5945b0ff3d5
Instruction Fuzzy Hash: BD2145B2504344DFCB01DF54D9C8B2ABFA5FB8832CF24C569E9054B286C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306433504.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09c777c3f76a081e3b038f38dffbe55e1ca32732973d3b2a4355906939365be
Instruction ID: 8583925d8e3dc21b3b304104d51a7d2b2075851cbccc2e92957f3b00d0543855
Opcode Fuzzy Hash: d09c777c3f76a081e3b038f38dffbe55e1ca32732973d3b2a4355906939365be
Instruction Fuzzy Hash: E5216471508244DFCB11DF64D8C8B26BB65FB88358F20C5ADEA0A4B346C33BD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 013FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306433504.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5933c001d7e8d7f92060317b49b822bc3f825f4b8256d7b7ff2f90ecc6e5de2
Instruction ID: 14c239679e36239ca220109c8536e186c339395a64da1af9aaf75a1c9300f5c8
Opcode Fuzzy Hash: a5933c001d7e8d7f92060317b49b822bc3f825f4b8256d7b7ff2f90ecc6e5de2
Instruction Fuzzy Hash: 5C212979504244EFDB01DF94D5C8B26BB65FB84328F24C5ADDA094B246C337D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306433504.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b074ab95d7d34f5c8a834a6f0f857acb7a20dc9ad715bd7d2f1a23bd2090a2c4
Instruction ID: 9a8079b41065b874ca78037af2d1e18c9660b5639390e9b0bf24b9427c5299c3
Opcode Fuzzy Hash: b074ab95d7d34f5c8a834a6f0f857acb7a20dc9ad715bd7d2f1a23bd2090a2c4
Instruction Fuzzy Hash: 48218E755093808FCB03CF24D994B15BF71EB46218F28C5EAD9498B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 013ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306321453.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: 66f175680c70b5278ab6a2316779b9122c58e5c8926e38820f5b76534b77311b
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: 6B11B176404380CFCB12CF54D9C4B16BFB1FB88328F28C6A9D8450B696C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306433504.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction ID: 230b71b31dbf9e8ba15c289557aadf4bf00643fd52a3c5c1e3c207f0b1018251
Opcode Fuzzy Hash: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction Fuzzy Hash: A911BE79504280DFCB02CF54C5C4B15FF71FB84228F28C6AED9494B656C33AD45ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 013ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306321453.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce3420ad33f2673913ba990b75f23b72aa1fedee3e640403b2d427a2f6c417f
Instruction ID: 7395252ed20a098d9509a77bd690b1bcc2cb9790113445b4e0cf783e4f0b705e
Opcode Fuzzy Hash: 4ce3420ad33f2673913ba990b75f23b72aa1fedee3e640403b2d427a2f6c417f
Instruction Fuzzy Hash: B501F7710483E49AE7108F65CD88B66BFDCDF4126CF09C55AEE054B2C6D37A9440C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 013ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306321453.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a1328fe445ee2d167c2b2060686ba654928ef18c84e8ee712ebd0d920db91d
Instruction ID: e9821d88eacc21dc884a9b4c75a92eb31d2dbadd88d43b03975264bdca8deac9
Opcode Fuzzy Hash: 94a1328fe445ee2d167c2b2060686ba654928ef18c84e8ee712ebd0d920db91d
Instruction Fuzzy Hash: 1EF0C2724083949EEB108F59CC88B62FFD8EB81238F18C05AED080B286C3799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D73ED0 Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

[6#5, xrefs: 02D73F1F
0z$, xrefs: 02D73FCE

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: 0z$$[6#5
API String ID: 0-1807647604
Opcode ID: 416af33952b9d0a86d4843bc8f692e333f3be49ca743fdc0bc4834dcb7704acf
Instruction ID: ac9f9425ba4d982d5114982b5dbd0b4df496db0baeef6aec2e34b43a76176870
Opcode Fuzzy Hash: 416af33952b9d0a86d4843bc8f692e333f3be49ca743fdc0bc4834dcb7704acf
Instruction Fuzzy Hash: 2E810074E152198FCB44CFA9D68099EFBF1FF88350B24956AE515AB360E334AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D73EC1 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

[6#5, xrefs: 02D73F1F
0z$, xrefs: 02D73FCE

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: 0z$$[6#5
API String ID: 0-1807647604
Opcode ID: cd2223582ab43424c53a307c5cf7613821188a345cbf39eb0b1c81f3c9982443
Instruction ID: 3bed40026d1906f2e536df4e036eacac9e7f45eec25c15419e8448d951a69e6b
Opcode Fuzzy Hash: cd2223582ab43424c53a307c5cf7613821188a345cbf39eb0b1c81f3c9982443
Instruction Fuzzy Hash: 02810274E152198FCB44CFA8D58499EFBF1FF88350B2495AAE515AB360E334AE42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09C90040 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

*, xrefs: 09C93284
$, xrefs: 09C90153

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: $$*
API String ID: 0-3931512670
Opcode ID: 6629018b4da0af0215b33a7b3c40335c3d4e409f155b02dce608459f5a3a3d58
Instruction ID: 191bc8222174b68eae5410e88a2b42e3553c0cb2f67f8f045d474f0a8e7dc27e
Opcode Fuzzy Hash: 6629018b4da0af0215b33a7b3c40335c3d4e409f155b02dce608459f5a3a3d58
Instruction Fuzzy Hash: 46414171E15A588BEB2CCF6BCD4478EFAF3AFC9341F14C1BA840DAA255EB7005428E11

Uniqueness

Uniqueness Score: -1.00%

Function 02D75558 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

/Ml, xrefs: 02D756B7

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: /Ml
API String ID: 0-3801622744
Opcode ID: 8eca21b7aeff1eb66499203cad84d94821be81b493888c2490bfe57d43186d2b
Instruction ID: 20519a5579e979ee2abe17c0e33c1687c51680fca640dd5921e452a0907e540c
Opcode Fuzzy Hash: 8eca21b7aeff1eb66499203cad84d94821be81b493888c2490bfe57d43186d2b
Instruction Fuzzy Hash: 6D4105B4E1524ACFCB44CFA9D5805AEFBB2AF89300F24D56AC805A7358E3349A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D75568 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

/Ml, xrefs: 02D756B7

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: /Ml
API String ID: 0-3801622744
Opcode ID: e67fa8448f5d5187dbab85168764d1c07c95f8c925009f7f8b0564b3c59a1367
Instruction ID: fdf7342503339149a642ff3f393d4e09942a4e9b0af95022c6579b0b700767d4
Opcode Fuzzy Hash: e67fa8448f5d5187dbab85168764d1c07c95f8c925009f7f8b0564b3c59a1367
Instruction Fuzzy Hash: 2F41E4B4E1520ADBCB44CFA9D5815AEFBF2EB88300F64D46AC905B7318E7349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 054D0040 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

7, xrefs: 054D4A33

Memory Dump Source

Source File: 00000000.00000002.311533295.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 357fadd55ef5ea4ac03287d33ed3bc9628a20c543b742124f270f7b15f70814d
Instruction ID: 9d2414d433b9dd1f1efa4fd14be0d89f5c437ec1d76c55f60ea9fbc80250575d
Opcode Fuzzy Hash: 357fadd55ef5ea4ac03287d33ed3bc9628a20c543b742124f270f7b15f70814d
Instruction Fuzzy Hash: DD414371D05A588BEB5CCF6B8D5469EFAF3AFC8201F14C1BAC50CAB255EB3049428E15

Uniqueness

Uniqueness Score: -1.00%

Function 09C9003E Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

$, xrefs: 09C90153

Memory Dump Source

Source File: 00000000.00000002.314656729.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c90000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 269f182c06117d11e17a13c49c56550e818108e3d06722ada7f7d7c2150372b8
Instruction ID: e1250fb7bd39d0c8eda8bbf5ac86e9874939f7a6ea2a22a8d9dba142a23779b1
Opcode Fuzzy Hash: 269f182c06117d11e17a13c49c56550e818108e3d06722ada7f7d7c2150372b8
Instruction Fuzzy Hash: B0410571D11A588BEB1CCF6BCD4469EFAF3AFC9301F14C1BA941CAA254EB7005428F51

Uniqueness

Uniqueness Score: -1.00%

Function 02D71BF8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857af1a34158f816e0439ced0228487b645b3a31bb67036b26a1d6dca14d52b0
Instruction ID: 1df4c5d7e8c6e3d31c8f73cda62eb74415fe0c8233eeb3565f2401ff288372c9
Opcode Fuzzy Hash: 857af1a34158f816e0439ced0228487b645b3a31bb67036b26a1d6dca14d52b0
Instruction Fuzzy Hash: 3561E575E0520A9FCB04CFA9D481AEEFBB2FB88310F14966AE519A7314E374D941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D74A90 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397b902ad5b8476befb0e564af9e6392af1b091206e98628b85687f4140c328a
Instruction ID: de628fd8e2382f92b019727da62a6af2a21ac034d9994fb85b05a70dec7b0703
Opcode Fuzzy Hash: 397b902ad5b8476befb0e564af9e6392af1b091206e98628b85687f4140c328a
Instruction Fuzzy Hash: 4D71B1B4E0520ADFCB05CF99C5809AEFBB2FF48314F14855AD455AB318E338A942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D74A81 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431495ef0481f231834d3d53af43bd4d546c66d52426167a9f501c2d721d6e26
Instruction ID: 4b89eb9bab9ac0ff68b6adc25d713fc5b97e9453cdab92e62f8aa755d6f9c900
Opcode Fuzzy Hash: 431495ef0481f231834d3d53af43bd4d546c66d52426167a9f501c2d721d6e26
Instruction Fuzzy Hash: B861B2B4E0420A9FCB05CFA9C5809AEFBB2FF48314F14855AD455A7318E338AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D75330 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcd2d181ae94388b09910af3705af4825993625b1fbe083cf68ec33ecf6c4b4
Instruction ID: 3fb986f344faf4e7c360d879d040351a3f3579c1d340749a392638913d96d3d5
Opcode Fuzzy Hash: 7dcd2d181ae94388b09910af3705af4825993625b1fbe083cf68ec33ecf6c4b4
Instruction Fuzzy Hash: 1351F274E052098FCB04CFA9D5805DEFBF2FF89214F28956AD855B7324E7349A02CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02D75340 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f98c1383fc7c62a0c42c99813962a23721220fa91d3fce55da962311f0d601
Instruction ID: 4f0cff07d77fb927222c030c18157dbfa36430773ed26d674892ad4286a60b0f
Opcode Fuzzy Hash: 94f98c1383fc7c62a0c42c99813962a23721220fa91d3fce55da962311f0d601
Instruction Fuzzy Hash: B051E1B4E052098FCB04CFAAE58059EFBF2FB88214F24952AD855B7324E7349A02CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02D75738 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58cd9a0b73bfcfd1c2741b5d6703b8e9b785cebb29e26422b41b4b48998c406
Instruction ID: 20419f6641497ab0bc79a249fb26e0c49856f6f5aad98dffa7af2604d691afa5
Opcode Fuzzy Hash: b58cd9a0b73bfcfd1c2741b5d6703b8e9b785cebb29e26422b41b4b48998c406
Instruction Fuzzy Hash: 95415FB1E056588BEB28CF6B9D4429EFBF3AFC9300F14C1BA954CA6255EB340A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 054D0006 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311533295.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ab0556796debf707c9b63e3ed771cfea8180be45287583ff97425bb791c0d5
Instruction ID: 45e0c9317f7c0201ae3bc8d64277375145e7b917a03b717fd0dbfffac331a463
Opcode Fuzzy Hash: 76ab0556796debf707c9b63e3ed771cfea8180be45287583ff97425bb791c0d5
Instruction Fuzzy Hash: 41416271D05A588FE75DCF6B8D5169AFAF3AFC5201F18C1FAC40CAA265EB3015468E11

Uniqueness

Uniqueness Score: -1.00%

Function 02D75138 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d099ffbcce8bee5b1e0477f7ecac9fc2f88659e5edd9ed53d4ec38e793e954f
Instruction ID: 199f66e78039a02e6758b96851486edaddf67da0b53585a787c2581c80082dbe
Opcode Fuzzy Hash: 7d099ffbcce8bee5b1e0477f7ecac9fc2f88659e5edd9ed53d4ec38e793e954f
Instruction Fuzzy Hash: 5F41E4B4E0420A9FCB04CFAAD5805AEFBF2BF98310F54D06AC915A6304E7389A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02D75128 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306670858.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686eaade93cd169e7d6d742d0d7305fc2a09f87d184f7dab45feb6780b637b53
Instruction ID: e554bfa11ed560fbce655cceb2bfcaf1af07c0b86f3a42ab2759f2c64d1d92d4
Opcode Fuzzy Hash: 686eaade93cd169e7d6d742d0d7305fc2a09f87d184f7dab45feb6780b637b53
Instruction Fuzzy Hash: A541E5B4E0420A9FCB44CFAAD4805AEFBF2EF98310F54C56AC915A7314E7389A41CF95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: U7Ncg7oAyC.exePID: 6752, Parent PID: 6284COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	198
Total number of Limit Nodes:	19

Executed Functions

Function 0283B6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0283B730
GetCurrentThread.KERNEL32 ref: 0283B76D
GetCurrentProcess.KERNEL32 ref: 0283B7AA
GetCurrentThreadId.KERNEL32 ref: 0283B803

Strings

Qj:., xrefs: 0283B6EC

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Qj:.
API String ID: 2063062207-4006226587
Opcode ID: eeb86bdbd77766cef0ad79b4a4c70d2911821787d9c88c916b35021c5c914322
Instruction ID: 68c7afd7aba34997ae8a1b6c2c26edd67380a6ae13ce9224ac8d470920644d96
Opcode Fuzzy Hash: eeb86bdbd77766cef0ad79b4a4c70d2911821787d9c88c916b35021c5c914322
Instruction Fuzzy Hash: 515144B89042498FDB14CFA9D5887DEBBF1EF48318F24845AD519E7390CB74A844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0283B6D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0283B730
GetCurrentThread.KERNEL32 ref: 0283B76D
GetCurrentProcess.KERNEL32 ref: 0283B7AA
GetCurrentThreadId.KERNEL32 ref: 0283B803

Strings

Qj:., xrefs: 0283B6EC

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Qj:.
API String ID: 2063062207-4006226587
Opcode ID: e4af93c322815f972299736e39937b11e5b010157f44ff55564ac469ff992e5f
Instruction ID: 19bfc8b9963c2fd467b952568ad5e815836d9b16efaf585ca30d3dfe5931d40f
Opcode Fuzzy Hash: e4af93c322815f972299736e39937b11e5b010157f44ff55564ac469ff992e5f
Instruction Fuzzy Hash: 935143B89002498FDB14CFA9D588BEEBBF1EF48318F248459E419E7350DB74A844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0283FAA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0283FD0A

Strings

Qj:., xrefs: 0283FC26
Qj:., xrefs: 0283FC46

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: CreateWindow
String ID: Qj:.$Qj:.
API String ID: 716092398-141631473
Opcode ID: d4ef5e8a9ee12fd2d26804eafccd800123a818239f4cf161bc7de1e99c453ff5
Instruction ID: 9607c5275c5359456ffd3a7362b74687d1704cea31a3e78af435cfd1c95d2bea
Opcode Fuzzy Hash: d4ef5e8a9ee12fd2d26804eafccd800123a818239f4cf161bc7de1e99c453ff5
Instruction Fuzzy Hash: 68917B75C08388DFCB16CFA5C8A4AC9BFB1FF0A300F0A819AE444AB262D7345855CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0283FBF8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0283FD0A

Strings

Qj:., xrefs: 0283FC26
Qj:., xrefs: 0283FC46

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: CreateWindow
String ID: Qj:.$Qj:.
API String ID: 716092398-141631473
Opcode ID: 7c34edb49d8be22c0be09ed4349d9ed3ca1ee3023aab8d3c6583bdae7785227b
Instruction ID: c897a63ad12f20e5aca8402ec171bac0602d59a7bebc9b1f93f67ffa64516da3
Opcode Fuzzy Hash: 7c34edb49d8be22c0be09ed4349d9ed3ca1ee3023aab8d3c6583bdae7785227b
Instruction Fuzzy Hash: F641CFB5D003099FDB15CFA9C884ADEBBB5BF48314F24812AE919AB310D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028393E8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0283962E

Strings

Qj:., xrefs: 028395E7

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: HandleModule
String ID: Qj:.
API String ID: 4139908857-4006226587
Opcode ID: e3c0c6e1fe1fc71fd431e61f5b03d12a9a37f555c2aaa3b32b611a9ca1bdd3e2
Instruction ID: 35e60b2a51a33911623556c6adeeb37a658e2966188e1383f5658d62fdb8327d
Opcode Fuzzy Hash: e3c0c6e1fe1fc71fd431e61f5b03d12a9a37f555c2aaa3b32b611a9ca1bdd3e2
Instruction Fuzzy Hash: 77710378A00B058FDB25DF29D45075AB7F2BF88218F008A2DD58AD7A50EB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0283FE03 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0283FE9D

Strings

Qj:., xrefs: 0283FE5A

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: LongWindow
String ID: Qj:.
API String ID: 1378638983-4006226587
Opcode ID: 545d6c1de3cbf03fff176eaeddfdf4bdfd9d10ef900524bbc09f6c1e6fe87b8e
Instruction ID: 6840279ccfe638e4d39218c376beb9ad23f867f93e2377800751b59fda88c811
Opcode Fuzzy Hash: 545d6c1de3cbf03fff176eaeddfdf4bdfd9d10ef900524bbc09f6c1e6fe87b8e
Instruction Fuzzy Hash: C0219AB9804248DFCB11DFA4E588BDABFF4EB48314F05845AE958AB212D735A904CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0283BCF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0283BD87

Strings

Qj:., xrefs: 0283BD1F

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: DuplicateHandle
String ID: Qj:.
API String ID: 3793708945-4006226587
Opcode ID: 54fdc9d18aaa5ea39f17696e5bd648b3213a059e30ca84894c4b9cfdec439db6
Instruction ID: 6e9a5e6235d29af80a05bc6afcea2c05220f33af7abbaec544444846b292f657
Opcode Fuzzy Hash: 54fdc9d18aaa5ea39f17696e5bd648b3213a059e30ca84894c4b9cfdec439db6
Instruction Fuzzy Hash: F021F3B9900208DFDF00CFA9D584ADEBBF5FB48324F14842AE958A7350C778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0283BD00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0283BD87

Strings

Qj:., xrefs: 0283BD1F

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: DuplicateHandle
String ID: Qj:.
API String ID: 3793708945-4006226587
Opcode ID: 8d59db85f8c7ff9eff1e41d4e460ce8463d2dd93f65e03082660a2787ea35c61
Instruction ID: 01d4feb4a8aba1c8324e5436121ae6e3afd0be4e0b013b553a566be399f19806
Opcode Fuzzy Hash: 8d59db85f8c7ff9eff1e41d4e460ce8463d2dd93f65e03082660a2787ea35c61
Instruction Fuzzy Hash: E221D5B5900248DFDB10CFA9D584ADEBBF4FB48324F14841AE919A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02838768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028396A9,00000800,00000000,00000000), ref: 028398BA

Strings

Qj:., xrefs: 0283986F

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: LibraryLoad
String ID: Qj:.
API String ID: 1029625771-4006226587
Opcode ID: 4f52f3e3518e220c70a5275f5dac6401cd5a925f34f3cf76ca5a239358fd9ac8
Instruction ID: 10837dd96303bf12293769807cfc83d30f31bfa1a42f0a7119167484a1e50bbb
Opcode Fuzzy Hash: 4f52f3e3518e220c70a5275f5dac6401cd5a925f34f3cf76ca5a239358fd9ac8
Instruction Fuzzy Hash: 6411D3BA9042499FDB10CF9AC444BDEBBF4EB88324F14842AD919A7700C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02839849 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028396A9,00000800,00000000,00000000), ref: 028398BA

Strings

Qj:., xrefs: 0283986F

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: LibraryLoad
String ID: Qj:.
API String ID: 1029625771-4006226587
Opcode ID: dac59f5b0ccc3ca527c85752afb091a99d4e86afd676e611bdffe263381807c1
Instruction ID: f8ceaf7699d6d0fb0bd27b3e3a827e890a38dd612a45976b19f3687bb2779008
Opcode Fuzzy Hash: dac59f5b0ccc3ca527c85752afb091a99d4e86afd676e611bdffe263381807c1
Instruction Fuzzy Hash: B91114BAD002098FDB10DF99D444BDEFBF4EB88314F15842AD519A7600C774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028395C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0283962E

Strings

Qj:., xrefs: 028395E7

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: HandleModule
String ID: Qj:.
API String ID: 4139908857-4006226587
Opcode ID: 85884e511290933e0ef27e9061bbecb5f01bec48aa71025324605c183654f0ee
Instruction ID: 04284dde8b8c2ccee334554f445b603653a2e11f523681edb5fe58bfb37f384d
Opcode Fuzzy Hash: 85884e511290933e0ef27e9061bbecb5f01bec48aa71025324605c183654f0ee
Instruction Fuzzy Hash: E511E0B9D006498FCB10CF9AC444BDEFBF4EB88324F14852AD929A7600D3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0283FE40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0283FE9D

Strings

Qj:., xrefs: 0283FE5A

Memory Dump Source

Source File: 00000006.00000002.517196290.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_U7Ncg7oAyC.jbxd

Similarity

API ID: LongWindow
String ID: Qj:.
API String ID: 1378638983-4006226587
Opcode ID: 8cabac0b7b2460bde4eb7ac867fb9a9c3e43f19c91dc35a7c9d8d5cb004de1cc
Instruction ID: dc4df69a4e70ef50deaef771232a86dc2eb8e3a5fe9d3d96426ca1f86f6a49ec
Opcode Fuzzy Hash: 8cabac0b7b2460bde4eb7ac867fb9a9c3e43f19c91dc35a7c9d8d5cb004de1cc
Instruction Fuzzy Hash: 901112B98002088FDB10DF99D588BDFBBF8EB48324F10841AD919A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0263D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516614682.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_263d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da414e4649d6fe15fb870971d4aca6d9b7d6ccb0d074dff3887a54bd2c16a31
Instruction ID: f8ebd5e3eff7f6bfde5d13bbdbbfb28833904e7df91db886fba6e0b1681b735a
Opcode Fuzzy Hash: 4da414e4649d6fe15fb870971d4aca6d9b7d6ccb0d074dff3887a54bd2c16a31
Instruction Fuzzy Hash: 6821F5B2504240EFDB16DF14D9C0B26BF66FB98338F24C569E9064B256C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0263D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516614682.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_263d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189dc29278aaaa362cf31fee783160b9d74652e96ce9f47db8a38a6de880f501
Instruction ID: a5d78e9b84e4fd42d676206d64f2b2e4fe26411ebd32f212479693a3a7e607ad
Opcode Fuzzy Hash: 189dc29278aaaa362cf31fee783160b9d74652e96ce9f47db8a38a6de880f501
Instruction Fuzzy Hash: 1921D7B2504240DFDB1ADF14D9C0B26BF65FB98324F24C5A9E9054B347C336E866C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0264D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516666279.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_264d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a28234f2b76b8e20979133e16b4f99b71c0f398861c1c34eda96f3b0aaf961f
Instruction ID: 6d55019ac572d2ad7ab3555ea462c8500300e48e2088a179e758b0886fd67217
Opcode Fuzzy Hash: 3a28234f2b76b8e20979133e16b4f99b71c0f398861c1c34eda96f3b0aaf961f
Instruction Fuzzy Hash: 96213771904280DFDB14DF20D5C4B26BB61FB84714F24C5A9D8894B346CB37E857CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0264D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516666279.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_264d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80e10669d27d35afa5fe984be4bf95cc26d6b3e9fdf16a8542b1c192d80bc5
Instruction ID: ee5e0bbb3c29dfca48629e125a92b68c13a3eff77a137826a9d6327f3f765cfb
Opcode Fuzzy Hash: 5b80e10669d27d35afa5fe984be4bf95cc26d6b3e9fdf16a8542b1c192d80bc5
Instruction Fuzzy Hash: D721A1755093C08FCB12CF20D994B15BF71EB46614F28C5EAD8898B697C33AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0263D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516614682.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_263d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: a013dbf230a46dc3b8467f86d68ebf978130dee63ae893cb256277772b1ec1b7
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: 1F118176504280DFCB16CF10D5C4B16BF71FB84324F28C6A9D8454B657C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0263D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.516614682.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_263d000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: b93c6344d0bba7ed8047c714b407a905f220de8c106f591cf2946f714cbe1c67
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: 2511B176804280DFCB12CF14D5C4B16BF72FB84324F28C6A9D8050B616C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: U7Ncg7oAyC.exePID: 2860, Parent PID: 960COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Executed Functions

Function 07E0C080 Relevance: 3.5, Strings: 2, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 07E0C552
hjFI, xrefs: 07E0C48A

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID: UUUU$hjFI
API String ID: 0-3356801800
Opcode ID: ef5a41a0ac021dd2cd35c4aa26558a53d6038bd1b30e5abff25dae7bc00183b0
Instruction ID: f1ca34975d65ce532cc4e385513e28e4433ecded5d2f2b601ee9e628b88656a1
Opcode Fuzzy Hash: ef5a41a0ac021dd2cd35c4aa26558a53d6038bd1b30e5abff25dae7bc00183b0
Instruction Fuzzy Hash: FFA2E575A01228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB361DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07E00040 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c35be9c69adc084b7c4b0b22c3bec7a663bba9e07d91be11872545c77adb43
Instruction ID: 9ad250eb513db74770de9613e87c5149fd4bc7f97e32fc73c9c7feb801a13950
Opcode Fuzzy Hash: 12c35be9c69adc084b7c4b0b22c3bec7a663bba9e07d91be11872545c77adb43
Instruction Fuzzy Hash: A40250B0A01209DFCB15CFA8D984BAEBBB2FF49344F159065E805EB2A1D734DD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BC49 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49118c698a04e2f41ea8c1388d457e10dc06c24391a495901a4a343e93a3932
Instruction ID: 6f9130a2a232fa0ac49ce08f523207d47ad18347ea6f6105b8964fa91a9d2ce6
Opcode Fuzzy Hash: f49118c698a04e2f41ea8c1388d457e10dc06c24391a495901a4a343e93a3932
Instruction Fuzzy Hash: 506150B0A023098FDB44DF7AE441A99BBF2EBC4344F04C579D404EB268EB795815CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BC58 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fb0203d824afc0f40403ad1a50304c258e2f1c3003457632b87b470716a454
Instruction ID: ebd6bbfc3f1962701e84bae520aac49e5bc5ca44b6f21cc224d9dca5da75f22b
Opcode Fuzzy Hash: d0fb0203d824afc0f40403ad1a50304c258e2f1c3003457632b87b470716a454
Instruction Fuzzy Hash: 076140B0A023098FDB48DF7AE841A9DBBF2EBC5348F04C57AD404EB264EB7959158F51

Uniqueness

Uniqueness Score: -1.00%

Function 07E04AA7 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931b018f18d00931dac125cad4df0af9de1e3b2e80c0d2ba2e22c4f24b3a24aa
Instruction ID: 0fb3b7b6702c22442e1dfe2f2e11ab651c5f512df8daed94c32e388779749846
Opcode Fuzzy Hash: 931b018f18d00931dac125cad4df0af9de1e3b2e80c0d2ba2e22c4f24b3a24aa
Instruction Fuzzy Hash: 0041BCB4D052489FDB10CFE9C684BDEFBF0AB0A318F20912AE514BB291D7759985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07E04AB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ca86974ca8c676a1bc3aea914723190ac2f100f638831a7543cc3214514fcf
Instruction ID: c51bd335fb833f59f73b97042244485a67b98cc653ff1b89fc1507e0381e40b5
Opcode Fuzzy Hash: 17ca86974ca8c676a1bc3aea914723190ac2f100f638831a7543cc3214514fcf
Instruction Fuzzy Hash: 9A41ABB4D052489FDB10CFE9C584BDEBBF0AB0A318F20902AE515BB290D775A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07E04F3B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a27c6fffdd0ad27539ccbf436c218258124d279973380fb7b23539cc50df014
Instruction ID: be9b5d8f0601ae38998d5ac7f8fc17ab29a6ed9559d28daea4d464930866fe29
Opcode Fuzzy Hash: 1a27c6fffdd0ad27539ccbf436c218258124d279973380fb7b23539cc50df014
Instruction Fuzzy Hash: 6221E2B4D01249DFCB14DFAAC4446EDBBF1AB4A324F20E129E924B7390D7349981CF98

Uniqueness

Uniqueness Score: -1.00%

Function 07E04F40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8c117f1129768bdab863fa2a32a70c926d8c7b23ffc396634c3d10548a1dad
Instruction ID: 46efa34c60445775a9e81fd61dc578885d32bf8313d9db6937aa2870bcec1736
Opcode Fuzzy Hash: cb8c117f1129768bdab863fa2a32a70c926d8c7b23ffc396634c3d10548a1dad
Instruction Fuzzy Hash: 6C2192B4D01209DFDB14DFAAC5446EDBBF2AB4A310F10E129E814B7290D7349991CF98

Uniqueness

Uniqueness Score: -1.00%

Function 07E04E6C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7959ceff93525bc27bc2ef505004a97b78802e42963f9a44b7d458e13d1c7845
Instruction ID: b53526f8683808afa61bacc5d3b3940d5d2499efee9bb2db7ee1b2d34ef55605
Opcode Fuzzy Hash: 7959ceff93525bc27bc2ef505004a97b78802e42963f9a44b7d458e13d1c7845
Instruction Fuzzy Hash: 5001F6B4D0524C9B8F04DFA9D5404EEFBF1AB5A310F10A02AE814B3310D3308952CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 07E04E78 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: f6e82b68e468ca8880d8637cdcc79da2fdb29f5efa9f48f9c232c0b5ca42afc5
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: D1F092B4D0520C9F8F04DFA9D5408EEFBF2AB5A310F10A12AE804B3310E73099518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 09298418 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 092986DF

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4cb6ab462a456f7769b886ae09bdd29a1a7b0fb94c13d2568ad88f5ad86d82e5
Instruction ID: 9e966490e277e06d5a80ad97496b1402dae36982e5879971765292da4e55a5df
Opcode Fuzzy Hash: 4cb6ab462a456f7769b886ae09bdd29a1a7b0fb94c13d2568ad88f5ad86d82e5
Instruction Fuzzy Hash: 5CC12571D142298FDF20CFA4C980BEEBBB1BF49304F0595A9E509B7240DB749A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04D5BC88 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04D5D5F9

Memory Dump Source

Source File: 00000013.00000002.414465639.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4d50000_U7Ncg7oAyC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4c1692b429f4fd5488baedf28b429b7338ac2ac64e64638b5939a644e447e449
Instruction ID: 38c25378c3b170c1b897469cc27b939771e65a2dfcd29855850d5c645597b800
Opcode Fuzzy Hash: 4c1692b429f4fd5488baedf28b429b7338ac2ac64e64638b5939a644e447e449
Instruction Fuzzy Hash: 9C51F4B1D0421CDFDB20DFA4C884BCEBBB5BF55308F1180A9D509AB251DB71AA89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09298000 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 092980D3

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1bf6340df6c99ff1bb370f861008144c81ef7df242ee04188e8aa7f495031913
Instruction ID: 628f80b2e90032ab0d037e1233b079e700746c35af41158229c583affd94ea1f
Opcode Fuzzy Hash: 1bf6340df6c99ff1bb370f861008144c81ef7df242ee04188e8aa7f495031913
Instruction Fuzzy Hash: 2A41B8B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE818B7200D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09298188 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0929823A

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e91bb6c5e2a1476b3a9ad26d81dd538df303c0f95721aeb4d7638830905457de
Instruction ID: b3c896bfa4703c299defc94dfae4395ae8205d172bc0a4eb27ff4f8814b168ed
Opcode Fuzzy Hash: e91bb6c5e2a1476b3a9ad26d81dd538df303c0f95721aeb4d7638830905457de
Instruction Fuzzy Hash: FA41C8B4D042589FCF00CFAAD984AEEFBB1BF09314F14942AE914B7200C735A946CF68

Uniqueness

Uniqueness Score: -1.00%

Function 09297EB0 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09297F5A

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa80bf83313489018d9db0ca4206c7e0363368f7693c82e12f5dfe056609d6f4
Instruction ID: c019a67d8da399d941d0cd3beb3785cb8fa787d445fa39ae5d8c2ed2542c2910
Opcode Fuzzy Hash: fa80bf83313489018d9db0ca4206c7e0363368f7693c82e12f5dfe056609d6f4
Instruction Fuzzy Hash: 5931C8B4D142589FCF10CFA9D984ADEFBB5BB49310F10942AE815B7300D735A946CF68

Uniqueness

Uniqueness Score: -1.00%

Function 04D57E18 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04D57EC7

Memory Dump Source

Source File: 00000013.00000002.414465639.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4d50000_U7Ncg7oAyC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 530ec3062043b8d70128b6b452596b7c6af8be673e467cfafa300216d32575a2
Instruction ID: 5bf1dc816264ce84e978e34aebfa3764f00377a178f6c3fe2f185439b11ecddc
Opcode Fuzzy Hash: 530ec3062043b8d70128b6b452596b7c6af8be673e467cfafa300216d32575a2
Instruction Fuzzy Hash: 1D3199B9D042589FCF10CFA9E484ADEFBB1BB09314F24902AE815B7310D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04D57E20 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04D57EC7

Memory Dump Source

Source File: 00000013.00000002.414465639.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4d50000_U7Ncg7oAyC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e9ddd8515e1857a4b00eb2b4a8acc7d0a3a97ed5c6a8997424511786e0af844a
Instruction ID: 003c2a152712b9a12a913eaa7415f020e3588c8dfb84acce9dbfb69199d917a2
Opcode Fuzzy Hash: e9ddd8515e1857a4b00eb2b4a8acc7d0a3a97ed5c6a8997424511786e0af844a
Instruction Fuzzy Hash: CD3198B9D042589FCF10CFA9E484AEEFBB1BB09310F24902AE814B7310D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09297CC8 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09297D77

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f01fd5cd5627b05e9f3516914c30ffa1712189397e4e07adbffdfff9b5a1ab50
Instruction ID: 58027df10fdb6b6a0e7cf94df79cc00bb7d5cf850dea806a8bcf35672ad69514
Opcode Fuzzy Hash: f01fd5cd5627b05e9f3516914c30ffa1712189397e4e07adbffdfff9b5a1ab50
Instruction Fuzzy Hash: 6C31BBB5D102589FCF10DFA9D984AEEBBF5BF48314F14842AE418B7240D778A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09297BA8 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 09297C26

Memory Dump Source

Source File: 00000013.00000002.419188687.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_9290000_U7Ncg7oAyC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5f7457cb65213983e2f8b53e8b5f4936cf9a6c7412e6bec9b33b6ac508034061
Instruction ID: 2178672e995137aae29658078587fb1433ffcda04850ef6e3cd1ccde27c4d8bf
Opcode Fuzzy Hash: 5f7457cb65213983e2f8b53e8b5f4936cf9a6c7412e6bec9b33b6ac508034061
Instruction Fuzzy Hash: A931A8B4D142189FCF10CFA9D984AEEFBB5AB49324F14942AE815B7300C775A945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 07E02998 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2019929dd3ef46a93864dad113669dd14b9b04fe1561c295d02b30469ef676e
Instruction ID: e5067b4cc1fd793e7b07faae0c3b5e4e1d323ad22a4966c30b14da00ea0b8247
Opcode Fuzzy Hash: e2019929dd3ef46a93864dad113669dd14b9b04fe1561c295d02b30469ef676e
Instruction Fuzzy Hash: 36F152B6A016158FCB15CF68C48899DBBF6FF88354B1A8095E515EB3B1DB34EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07E00E0A Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dee84311bac41804efe60965f19b9b9b1097318e83cebd34a9c37e04c2f4841
Instruction ID: ce75a0107df4be7cc349b5f79daf91ce6dc1ab5a88566cb4a798ddac30f3c199
Opcode Fuzzy Hash: 4dee84311bac41804efe60965f19b9b9b1097318e83cebd34a9c37e04c2f4841
Instruction Fuzzy Hash: AF0248B060120ACFDB14CFA8C584AAEBBB6FF49314F159959E405EB2D1C734E8D1CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E01500 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb1b190d8111cab4d11a8496f118b37528d03ec9c5d24056338ffb0efd5fcb9
Instruction ID: 5de42b97f4458ab152a69e44e0f128f7f5cabadc48c4d640f1b3f31eb7cd28c4
Opcode Fuzzy Hash: 4fb1b190d8111cab4d11a8496f118b37528d03ec9c5d24056338ffb0efd5fcb9
Instruction Fuzzy Hash: 076192B431610A8FD714CF79EC8496E7BE9EF867547095479E406CF2A1EB34DC808B90

Uniqueness

Uniqueness Score: -1.00%

Function 07E026C0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad28e3cc4c1185480c9274e10242632bd285416670adae95669f422cc6261dd
Instruction ID: 0d6b1fc83ab38dab7f4a0b9f30a80f70100e56f035f664f3e7d9ff5696035324
Opcode Fuzzy Hash: bad28e3cc4c1185480c9274e10242632bd285416670adae95669f422cc6261dd
Instruction Fuzzy Hash: 196125B43052458FDB258B34D85CABD7BFABB85254B198469E216DB7C1DF24CCC087E1

Uniqueness

Uniqueness Score: -1.00%

Function 07E06D36 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678c9b6920453d81de2d3985ea796130977cd72fb016321ab316af3702e76b69
Instruction ID: 678606ffebc6c9c7ccdb79f4c27b59e953599352ef174e1cf5e285d1e2ad0bf3
Opcode Fuzzy Hash: 678c9b6920453d81de2d3985ea796130977cd72fb016321ab316af3702e76b69
Instruction Fuzzy Hash: 0381B0F0A06216CFC704CF68C454BAEBBB1EB41328F189266E0659B3D9D735D9B1C791

Uniqueness

Uniqueness Score: -1.00%

Function 07E05BD0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c56d2f71393074a47494a0d350ba75206e3fcb499432f0c101e94f0a93c5784
Instruction ID: 0de360853fb2256b9a4d37a2654cccb0b6c60ce3027f734b4b32fbb49c981a8b
Opcode Fuzzy Hash: 0c56d2f71393074a47494a0d350ba75206e3fcb499432f0c101e94f0a93c5784
Instruction Fuzzy Hash: 7171DAB0B02244CBDB14CBA8C815EAEBBB7EB45315F049126E555EB3E4C730D8928F91

Uniqueness

Uniqueness Score: -1.00%

Function 07E05BC3 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65f51bd635fcd891b4c9c5db1401ec1a33559a003a8067531d8f73d17f2bdbd
Instruction ID: c6255f662713b5c434a3249bf8e12e974bceecfc43121bbfd15649d3fdb7d6f9
Opcode Fuzzy Hash: f65f51bd635fcd891b4c9c5db1401ec1a33559a003a8067531d8f73d17f2bdbd
Instruction Fuzzy Hash: EC7109B1B022448BDB14CBA8C855EEEBBB7EF85315F049126E455EB3E4C730D8928F91

Uniqueness

Uniqueness Score: -1.00%

Function 07E01300 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9f545e780f24f055e8927e3ba84bc392d0145997e9fd90a3c28e9928c7f1bd
Instruction ID: 1611ebc9b5215e78081b03835ae108e399e7ad44d30220d7ff7e908993145005
Opcode Fuzzy Hash: 2e9f545e780f24f055e8927e3ba84bc392d0145997e9fd90a3c28e9928c7f1bd
Instruction Fuzzy Hash: 6A4165B4600219CFCB149F69D888AAE7BB6FB49314F115069F9168B3B0DB74DC90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07E0AEF2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa10aae764f5df5d27d2f26411929ec1a575fa65ef1d11fd9958f01b88754c5
Instruction ID: 63cea148d7b78f056fcb09c336a9200a0a071dbf652726c407e641a5853894a3
Opcode Fuzzy Hash: 9fa10aae764f5df5d27d2f26411929ec1a575fa65ef1d11fd9958f01b88754c5
Instruction Fuzzy Hash: FF416AB4A0A218DFDB50DF64D844BADB7B6FB49301F40C0A9D809A7784DB389E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07E03D20 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9588eab0023e67228d7ecb427f6094c714109c30960e94867cd44d64a91fe7
Instruction ID: 86ceb524e3051865c54f5d2685d84f1147307eb3317aff768d988ff2dc6424fa
Opcode Fuzzy Hash: 3c9588eab0023e67228d7ecb427f6094c714109c30960e94867cd44d64a91fe7
Instruction Fuzzy Hash: 7331A8B0A16316CBC7248FAAC5501BBB7F1EB46615F14563FE156DA2C0E334D9C1C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07E07BF9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e7fab591611513fadd8767ea8742b0160e39fcee99266414ccb6f9e4f717a9
Instruction ID: 363a407ae7aaedb4030942f6366c49c6ee8f717e85e3a63877114a7820436f39
Opcode Fuzzy Hash: e1e7fab591611513fadd8767ea8742b0160e39fcee99266414ccb6f9e4f717a9
Instruction Fuzzy Hash: 70315BB0A16105CFCB108F68D8C45FABBB5EF5A334F19A1A6D411DB2D1C234E9C2C791

Uniqueness

Uniqueness Score: -1.00%

Function 07E00007 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ff851303797d1a54ca6936250aee6bb21296b62aad204e83a01aabfb92d738
Instruction ID: b95a28dde8bd6a92291fd42681902dab7d7d65d9cbe83a3c7e8cc0b5b75703c2
Opcode Fuzzy Hash: 62ff851303797d1a54ca6936250aee6bb21296b62aad204e83a01aabfb92d738
Instruction Fuzzy Hash: D731E6715093859FCB22CB64C804BEA7FB1FB06368F0995ABD0598B192D3399DC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07E07C08 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ec6532e4aece5bb473b76725ada20c2774f90a1a42170adbc035f32abeebbc
Instruction ID: 12051ccd898bb39ae2ac042d528e6dbbae8c620e535a07266443b22d13c8b126
Opcode Fuzzy Hash: 95ec6532e4aece5bb473b76725ada20c2774f90a1a42170adbc035f32abeebbc
Instruction Fuzzy Hash: 2C3126B0A1A109CFCB108F68D8845FAF7B0EB4A320F15A5ABD456D72D0C334E9C2C791

Uniqueness

Uniqueness Score: -1.00%

Function 07E02988 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c52399b91ca8703742a6d00ac29e50a91052d0af7ee8f2e5b771c64a8d10949
Instruction ID: 6b2333fbb17aaf36c231b411b43a855a7b0e46d552346e9468e62ac747c7d185
Opcode Fuzzy Hash: 8c52399b91ca8703742a6d00ac29e50a91052d0af7ee8f2e5b771c64a8d10949
Instruction Fuzzy Hash: AD315EB1A016068FCB14CF68C8889AEBBF6FF89364B158155E515973A5DB30DC528BE0

Uniqueness

Uniqueness Score: -1.00%

Function 07E01730 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece40169e03843486339ff5c81dd60a774fff30f937c3c62e514dfea19e1cc00
Instruction ID: 9f8bb073153da739f08775485eb7865c3aea220470e4ab5435d151fcb8881994
Opcode Fuzzy Hash: ece40169e03843486339ff5c81dd60a774fff30f937c3c62e514dfea19e1cc00
Instruction Fuzzy Hash: 5B21F3B130534A4BDB251635885497E36969FC269D708903DE802CF7D5EA34CCC1C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 07E032D8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5993f3276ad83937ff25f367c5bd8e33d3b92eaf27b32ac4fcdeba16cd1c7c
Instruction ID: 46620cf53102a0efb6bf77443bfb991639e0460167a43c315c169c5f497584fd
Opcode Fuzzy Hash: 5c5993f3276ad83937ff25f367c5bd8e33d3b92eaf27b32ac4fcdeba16cd1c7c
Instruction Fuzzy Hash: C431E1B161E246CBCB108B7984802BDB7B2FB86315F19E1AFD0758A6D5CA38C9C0C791

Uniqueness

Uniqueness Score: -1.00%

Function 07E01740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c827ee4a5d2dede95a4d39b362bcf17c541852fb1b96237719c4bf6bcfc214cf
Instruction ID: 17acbb2e04a133bec05403895851775f7fa2826a20b4356d6320a62d00590e26
Opcode Fuzzy Hash: c827ee4a5d2dede95a4d39b362bcf17c541852fb1b96237719c4bf6bcfc214cf
Instruction Fuzzy Hash: B621B0B570120A4BEB251625885467E32979FC675DF189039E402CFBD4EE39CCC283E2

Uniqueness

Uniqueness Score: -1.00%

Function 07E067B0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb47b9a96ddd17385924d5c2ed6b305289ce05a1545a238224c8abe4a1aa5661
Instruction ID: e0d2bd1cbb3d74978094e19574189abda76b4be2215a4c581d767d407c02bc8c
Opcode Fuzzy Hash: bb47b9a96ddd17385924d5c2ed6b305289ce05a1545a238224c8abe4a1aa5661
Instruction Fuzzy Hash: D721C3F1A0A205CBD7108F69D8463EABBB4EB46310F58512BD516CA6C4D734D9E487E2

Uniqueness

Uniqueness Score: -1.00%

Function 07E067C0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fb92d29be650e9ef5df6de2903f21c5b88f2f9bace76c97e8af58b3764523e
Instruction ID: b4d5d44125cca6c3f3bc377bb24ca6a5419fe3cdc6a0ce6a2e023fdd39228132
Opcode Fuzzy Hash: 45fb92d29be650e9ef5df6de2903f21c5b88f2f9bace76c97e8af58b3764523e
Instruction Fuzzy Hash: F3210FF1A0620ACBDB108FA9C4863EAB7B0EB45314F48903AD516CB6C4D734D8E9C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384039759.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_dcd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b1eeddf647ccc2363c3415c57acccf75bdb0c541e630d0c8c1b1a34cbf362a
Instruction ID: da38285295460db2d3876f8adf25e4af3e7704badde6261fdc830b1f2acbf8bd
Opcode Fuzzy Hash: 52b1eeddf647ccc2363c3415c57acccf75bdb0c541e630d0c8c1b1a34cbf362a
Instruction Fuzzy Hash: E621FFB2518241DFCB05DF14D9C0F2ABB66FB98328F2885BDE9454B246C336D856CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384060463.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ddd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197cb8222d05a884d29c6e7668ceaae6fa76238a728025f063bf7aca99c11b49
Instruction ID: fb597026ee33a3d8e59c269bfeddc2443a0b2dd9b8ff6f4536c6fa3184db46b5
Opcode Fuzzy Hash: 197cb8222d05a884d29c6e7668ceaae6fa76238a728025f063bf7aca99c11b49
Instruction Fuzzy Hash: 8A21B0B5508240DFDF14DF24D9C4B26BB66EB88314F28C5AAE9494B346C336D85BCA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384060463.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ddd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6630c20d043714b1019a437c84d6401b41e9339b93493307ed7f887cf9016ea
Instruction ID: aed584ba971be8e9fb6591fa839fcbb5cfa6c287c8b46155ba4dd7f2270de528
Opcode Fuzzy Hash: e6630c20d043714b1019a437c84d6401b41e9339b93493307ed7f887cf9016ea
Instruction Fuzzy Hash: 062104B1508240EFDF11DF60D9C0B26BFA6FB88318F24C5AAE9494B346C336D856CA71

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B027 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f2380dcbe491abe9c77288b42127f3c501a898100fbd4c0b32d0e0db1f2137
Instruction ID: bc5d892762de90915002af107909defb088040d81fd0d4cd13271005bb99ae3a
Opcode Fuzzy Hash: 64f2380dcbe491abe9c77288b42127f3c501a898100fbd4c0b32d0e0db1f2137
Instruction Fuzzy Hash: 6B315CB4A06209CFDB54DFA4D854AEDBBB5FB49305F0180A9D909E7744DB389D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07E048EF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e872d28dfef4797b2e31c000be4f2d8416684f697bdbf35651399e443672ad0
Instruction ID: c67706570ce6f673c45556c0c1616220462f27ca35fb66b856b234737d92aa19
Opcode Fuzzy Hash: 6e872d28dfef4797b2e31c000be4f2d8416684f697bdbf35651399e443672ad0
Instruction Fuzzy Hash: 1E1104B1A053865BCB11DB799C449BFBBF6EBC62607144529E518D72C0EF30894587E1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384060463.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ddd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449afd37c93d8a8d7338991338e37037e808d8bf65385ebaa785a3b4ab3fc49a
Instruction ID: 9eeb45875a370755a3827f79cf77df91042f57f089c5dbbb7297402e9d83a68e
Opcode Fuzzy Hash: 449afd37c93d8a8d7338991338e37037e808d8bf65385ebaa785a3b4ab3fc49a
Instruction Fuzzy Hash: C02180755093C08FCB12CF24D994715BF71EB86314F29C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07E04410 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013e4346bf39172c9fc206fe465d29936da942f034372b88e5d59129bad5b0c5
Instruction ID: b6e9a0e16c2f6e59ccd2bcde792f89873cf432731b74e31636cc40295639cb8d
Opcode Fuzzy Hash: 013e4346bf39172c9fc206fe465d29936da942f034372b88e5d59129bad5b0c5
Instruction Fuzzy Hash: C411C6B1A012465B8B10EB7D99449BFB6F6FBC52507504938E519D3380EF30DD0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 07E04820 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9552bf6a7575909f5c7cf5f96933909984831dfae42aab4104c489ea1c1339b2
Instruction ID: ef1df87fb064dbf68ad415899235f108025a421363d6b05447f149be2dfe0508
Opcode Fuzzy Hash: 9552bf6a7575909f5c7cf5f96933909984831dfae42aab4104c489ea1c1339b2
Instruction Fuzzy Hash: 95117371F052498BCB64EBB896105EEB7F6AF86714B100439D504EB780EB31CD96CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384039759.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_dcd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: 34a0b754147cefd46282c229e3c5ba01e1200b51775d8cee04404fbabe96556a
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: F411B176404280CFCB11CF10D9C4B16BF72FB89324F28C6ADD8450B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B0CF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213a19f8a0274de238415d66961c69b1784556709eb93a436f13e44e0a4fab6
Instruction ID: 89e91da3a308b4a4a34a92d286a3a7ed924c38fb941053a2a694cdfb57bf86b8
Opcode Fuzzy Hash: 8213a19f8a0274de238415d66961c69b1784556709eb93a436f13e44e0a4fab6
Instruction Fuzzy Hash: 842141B4A092098FEB60DF64C455ADDBBB6FB88341F20C16AD809E7749DB389D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07E05007 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff7e4dafea29a026924cc979eb90c1139b0cdfbc7e1f8f8404b84ac9b3c92d7
Instruction ID: 8d4809b90bf004d7767947c40a9f87c8f637b3412e2e965df709825d177db291
Opcode Fuzzy Hash: 4ff7e4dafea29a026924cc979eb90c1139b0cdfbc7e1f8f8404b84ac9b3c92d7
Instruction Fuzzy Hash: A001A2B6B051155FC3109769E884CABBBE9EFC92393158166F648CB362D9218C82C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384060463.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ddd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction ID: d1436108c8c7bece729112c10933a71fff1a5076315bf4b7f26c2577a32eba18
Opcode Fuzzy Hash: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction Fuzzy Hash: 38117975904280DFCB11DF10D5C4B15BFB2FB84324F28C6AAD8494B756C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B3BE Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db64b0d86c260a57bf0de2b8426283e27ab38ef7a43e4797acd65fdffae45d3
Instruction ID: 4b3c0d538bfa3cefe999eb1f84fa88a21e6d38891bfbc39410a6eeb70c270a7b
Opcode Fuzzy Hash: 0db64b0d86c260a57bf0de2b8426283e27ab38ef7a43e4797acd65fdffae45d3
Instruction Fuzzy Hash: A9216DF4E1A2098FDB50CF98D880AECB7B5FB49309F0191A5D419A7384D738AE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B9C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293c5345b191f340d965ca2402935433168595b0e22485fe1d9b307e5b4dea02
Instruction ID: c16c7ca09ecbc09c2df510463f83c6c974f2179a5f280d875ac9541c22a75728
Opcode Fuzzy Hash: 293c5345b191f340d965ca2402935433168595b0e22485fe1d9b307e5b4dea02
Instruction Fuzzy Hash: 88113DF4A091199FDB14CF98C854BEDB7B5FB49305F0081A6D909A7384DB385D828FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B1F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f45ede5ed59ff1d92d5038af695677e9580473e378825606819d1c6103b478
Instruction ID: 242efd1cb3034f79d66293c432758be6b256fcfb0a0f681300d7b18a4a401eb4
Opcode Fuzzy Hash: 34f45ede5ed59ff1d92d5038af695677e9580473e378825606819d1c6103b478
Instruction Fuzzy Hash: 7C119DF4A092098FDB00DF58C455AED7BB5FB49304F008169E909E7785D738AD01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384039759.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_dcd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0858e3cc29566f6946f7c299f12e46d7bff09ae1de9b4d1e5560ecad66797ef4
Instruction ID: 28b40eb9bf5d3bce40af0f307435eba369a7371ef999c79a19d96e978627e3ed
Opcode Fuzzy Hash: 0858e3cc29566f6946f7c299f12e46d7bff09ae1de9b4d1e5560ecad66797ef4
Instruction Fuzzy Hash: BC01F7710083849AEB109E25CDC4F66BB99DF41368F1CC56EE9065B2C6D379D841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.384039759.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_dcd000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d826591863548189556709e51af4834ff558334f762f285623e4666e0cdb6da0
Instruction ID: 847803bdcd68b029a768901206d1ff810826ba1bf7701342a45e0aa6246d8914
Opcode Fuzzy Hash: d826591863548189556709e51af4834ff558334f762f285623e4666e0cdb6da0
Instruction Fuzzy Hash: C2F06271408284AAEB108E15CCC8B62FFA8EB91774F1CC55EED095B286C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B7A3 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b357537d0b7b382177efec04a47c661b3821c32bc01d614144dff38340a03a
Instruction ID: 6fa978b22215f67023e61aaee65693b611049e82ff6f08126ac4126679757851
Opcode Fuzzy Hash: 03b357537d0b7b382177efec04a47c661b3821c32bc01d614144dff38340a03a
Instruction Fuzzy Hash: C7011AB4A09219CFDB50DFA8D84479C77B1EB88341F50C2AAD80DA3744DB385E95CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BBF1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bf24109a7044dbd3c8c00b7310586b447a7692da1621a9a753c95890d0fcb5
Instruction ID: 79ac203b94d7fa75717af6ed7d26a92247c57a1b765fdd176f9ef1d20e9f9b42
Opcode Fuzzy Hash: e8bf24109a7044dbd3c8c00b7310586b447a7692da1621a9a753c95890d0fcb5
Instruction Fuzzy Hash: 50F0C2F240E3C99FC7028B7499543A97FB4AB03245F0941E7D5889B457DA201E90CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 07E05018 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d99f27862429eec7ee9d6c2a8774b481297247105eeb8ab54f9bd93d640ede2
Instruction ID: 076a85a1f449ab20badf59d626f59264b17177493653d42f8cfb5ed013158a5b
Opcode Fuzzy Hash: 6d99f27862429eec7ee9d6c2a8774b481297247105eeb8ab54f9bd93d640ede2
Instruction Fuzzy Hash: A3E03976B041246F5314DA6AD884C6BFBEEEBCD664351813AF908C7320DA319C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B3C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20656f421e656a7fbc64e6dd0bc41a49f566d0c8567a0a2dde13298c541f65ba
Instruction ID: 1e26fe81cc559267caa96eff70af93029ccd70d1a1fb754bea823945a0fa6f6d
Opcode Fuzzy Hash: 20656f421e656a7fbc64e6dd0bc41a49f566d0c8567a0a2dde13298c541f65ba
Instruction Fuzzy Hash: 66F04FB4A1A2198FDB40DF98C440ADD77B5FB84345F0084799409E7744DB38AE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D198 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9938070c158e2883b26a17ca03782a6ad56bb165e7f381ac846de0b64e02ef0
Instruction ID: 0a40fdcd2efa39f6ccba73e7ff4691ec6c2de67c61c7c17ebffb21a6c9af6e46
Opcode Fuzzy Hash: f9938070c158e2883b26a17ca03782a6ad56bb165e7f381ac846de0b64e02ef0
Instruction Fuzzy Hash: 84F0F8B4A09208AFCB40DFA8D481A58BBF0AB49204F1580EAD85897746DA35AA51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BF48 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e088fdb9d8ecf46566fbf42826b0b5c0ad14530fb3176f2bb31c587e590a4044
Instruction ID: f91d75baa1437b1572527458a6539f6d5215061183cac2d609a5b26112b4dd1a
Opcode Fuzzy Hash: e088fdb9d8ecf46566fbf42826b0b5c0ad14530fb3176f2bb31c587e590a4044
Instruction Fuzzy Hash: 0CF020F090A388AFCB10EB30AC5A75D7FB4A706384F0084ECD84483181EB7429A8CB12

Uniqueness

Uniqueness Score: -1.00%

Function 07E0B309 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5c6c903abb89e416c7581d3e52ddeedba26754280cd33b589cee288f98d6ea
Instruction ID: 1ba08f57d57bb22d0216042880f69f16bc0f45cc4dce6270ffc80b790a483e3c
Opcode Fuzzy Hash: 1d5c6c903abb89e416c7581d3e52ddeedba26754280cd33b589cee288f98d6ea
Instruction Fuzzy Hash: 5DF034B4A06248CFCB50CF68C944A9DBBF5EB49301F5080E8D849A7745D738AD91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BF58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46569ebb1617ca5f911e4a7e7b5073e3da6a53a53ba12ad2bb1f7ada7c8890f3
Instruction ID: 06198a22703f3cde633945ae12f01e540de07d4c40d423e4c150f7c969f83d4b
Opcode Fuzzy Hash: 46569ebb1617ca5f911e4a7e7b5073e3da6a53a53ba12ad2bb1f7ada7c8890f3
Instruction Fuzzy Hash: 17E0DFB0A06349AFDF10DF74E94A72C7FA5A706348F0080ECD80893284EB352DA09761

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D1A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1661f3f1b3b6586f674253bb7484fe1bc7f690b829c427086c7861cf2f0e7e2
Instruction ID: e1d93577f313875ca7fb08afca3dbcc728afcce1b2bc5c4dac473e91a04b2e45
Opcode Fuzzy Hash: e1661f3f1b3b6586f674253bb7484fe1bc7f690b829c427086c7861cf2f0e7e2
Instruction Fuzzy Hash: E0E07574E05208AFCB44DFA8D58569DBBF5EB48304F14C1AA981897344EB35AA52DF81

Uniqueness

Uniqueness Score: -1.00%

Function 07E0BC10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffec71be6c4bce6adb3c17d65e92491be87e259418307ee5e2f358f5e933e0e6
Instruction ID: 27b567ddc8da3366438982f19f5fb191fb549ba699604c3f025ed8840a3ba803
Opcode Fuzzy Hash: ffec71be6c4bce6adb3c17d65e92491be87e259418307ee5e2f358f5e933e0e6
Instruction Fuzzy Hash: CAD0C2B180530CEBCB00DFB0E54565E7BB8EB05244F0040A6E50983110FF311E509BA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07E04C14 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e48212b43fcf88a2ebf11767638c49f29e26fe9ab24b05e2a5fb6ae8bc4398f
Instruction ID: 466ef4bbd66c54d4e2ceca6334dbb4248785f6cb1b97ab566fb09c216737b150
Opcode Fuzzy Hash: 5e48212b43fcf88a2ebf11767638c49f29e26fe9ab24b05e2a5fb6ae8bc4398f
Instruction Fuzzy Hash: 7F31D5B4D01249EFDB14CFA9D5849EDBBF1BB4A310F24A22AE914B7390D7309981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07E04C20 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.418717546.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7e00000_U7Ncg7oAyC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d934017556483ee88eb1ebfcf3513123765c03871fac230ce1520d09e5d857f2
Instruction ID: 6c9fa8f4a896e58e80e583dc4e2b70ed64a7e2fa29fed7bcca8c0789718aa1cb
Opcode Fuzzy Hash: d934017556483ee88eb1ebfcf3513123765c03871fac230ce1520d09e5d857f2
Instruction Fuzzy Hash: C8316FB4D05209EFDB14CFA9D584AEDBBF1BB4A350F24A12AE814B7390D7349981CF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 5308, Parent PID: 960COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	3

Executed Functions

Function 09B48418 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09B486DF

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 17ed489681599e0f168dee02a894a5e6fab15872ae33ec7bbc73e9dc8f3174bd
Instruction ID: eac0b4dc83cff8b670b934495683e4b9e3832d7d191cb50cb19054c9fff5187c
Opcode Fuzzy Hash: 17ed489681599e0f168dee02a894a5e6fab15872ae33ec7bbc73e9dc8f3174bd
Instruction Fuzzy Hash: 92C12571D042298FDB20CFA4C841BEEBBB1FF49314F0495A9E909B7240DB749A85EF95

Uniqueness

Uniqueness Score: -1.00%

Function 015ABC88 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015AD5F9

Memory Dump Source

Source File: 00000016.00000002.398758613.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_15a0000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8466b956fed5e70cae3310e1f403f2ecdb007c480b3d520559c43994fd1223a8
Instruction ID: 5da99e45c2a3475cf38b0e6a6fa514e5b403e2c71c5b05c793883c8d34dd3884
Opcode Fuzzy Hash: 8466b956fed5e70cae3310e1f403f2ecdb007c480b3d520559c43994fd1223a8
Instruction Fuzzy Hash: BD51E2B1D0421C8FDB20DFA4C984BCEBBB5BF59308F1180A9D549BB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09B48000 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B480D3

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 86ae0ca0bc68264d5a2c3ab6bf771a796eeaf2e02771e468e552bbd16d97bae4
Instruction ID: 21d5328c7fc02a8c1d636059d088b7a5a3ba95cf908d6a0cd7e5922e2a219816
Opcode Fuzzy Hash: 86ae0ca0bc68264d5a2c3ab6bf771a796eeaf2e02771e468e552bbd16d97bae4
Instruction Fuzzy Hash: B041B8B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE818BB200D735AA45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 09B48188 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09B4823A

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a22792098f19f56f08b84f226df411b1f5c65f433b74d077b7130e70b964b2c1
Instruction ID: 7427e00804705d53f5823bc9c9c0f29d1d694d1dab65ba23820af3aff3520d26
Opcode Fuzzy Hash: a22792098f19f56f08b84f226df411b1f5c65f433b74d077b7130e70b964b2c1
Instruction Fuzzy Hash: 0441A6B5D042589FCF00CFEAD884AEEFBB1BB59324F14942AE914B7200D735A945DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09B47EB0 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09B47F5A

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4ad35f8ccec913b622999b5d0ca2792ead37344ca550172f10923f9dc5e52e42
Instruction ID: 5d832459a3672e357e239a2763b0fdd816da6564c46b58c832dc1c07ebf624f4
Opcode Fuzzy Hash: 4ad35f8ccec913b622999b5d0ca2792ead37344ca550172f10923f9dc5e52e42
Instruction Fuzzy Hash: 2A31A7B9D042589FCF10CFA9D984ADEFBB1BB49320F14942AE815BB300D735A945DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015A7E18 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 015A7EC7

Memory Dump Source

Source File: 00000016.00000002.398758613.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_15a0000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: baae998bb3e64d609d2c5714bff1d2817510dc172cec5e5fd10e9295452a87c6
Instruction ID: 8280c1ce2722f60f456a7da1ef18e09dba0b052d48cba1d8b8a13b8beebfe6f4
Opcode Fuzzy Hash: baae998bb3e64d609d2c5714bff1d2817510dc172cec5e5fd10e9295452a87c6
Instruction Fuzzy Hash: 913188B9D042589FCF10CFA9E584AEEFBB1BB09310F14942AE854B7210D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 015A7E20 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 015A7EC7

Memory Dump Source

Source File: 00000016.00000002.398758613.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_15a0000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7e7a08b019c075c31ea0c3dce7443b307f7918bf90050fa66f8c4de078b03eb5
Instruction ID: 9da3e3c6b0fd8d812877dd287328f982521e7f638c93a6e87898c6c89a113db7
Opcode Fuzzy Hash: 7e7a08b019c075c31ea0c3dce7443b307f7918bf90050fa66f8c4de078b03eb5
Instruction Fuzzy Hash: C93197B9D042589FCB10CFA9E484AEEFBB4BB09310F14942AE814B7210D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09B47CC8 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09B47D77

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a4cc58d2df5b0d25c0c453c84e09f1b6bb5cbcd6c5bb525bd85c7cf9338f03d2
Instruction ID: 1f0522572804cb6a9c6ebe63cc10128ce01fc60446c6925525ae0f8ad6355cc1
Opcode Fuzzy Hash: a4cc58d2df5b0d25c0c453c84e09f1b6bb5cbcd6c5bb525bd85c7cf9338f03d2
Instruction Fuzzy Hash: 0F31CDB5D002589FCB10DFA9D884AEEFBF1BF48324F14842AE414B7240D738A985DF94

Uniqueness

Uniqueness Score: -1.00%

Function 05718244 Relevance: 1.6, APIs: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 057189CB

Memory Dump Source

Source File: 00000016.00000002.420207034.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5710000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0f6763860721ebd1e42c50d8234d97e251dcad3d7ba4606564eb0aa2fe2ebdf9
Instruction ID: 28747fe432626c44c5e04c6233573ca91e06ee94f9a3adcc5957c83db0e39396
Opcode Fuzzy Hash: 0f6763860721ebd1e42c50d8234d97e251dcad3d7ba4606564eb0aa2fe2ebdf9
Instruction Fuzzy Hash: 8131A7B8D04208AFCB10CFA9D484ADEFBF4AB09310F14902AE815BB310D335A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09B47BA8 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 09B47C26

Memory Dump Source

Source File: 00000016.00000002.422965447.0000000009B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_9b40000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e621569b3d77785a4245bda80395e6c9162dfd46c39ba6d811d1284f658f380b
Instruction ID: 25c55b5f2b393db15eb86063f5307cec9f3d01e44c01f411a761eff320737097
Opcode Fuzzy Hash: e621569b3d77785a4245bda80395e6c9162dfd46c39ba6d811d1284f658f380b
Instruction Fuzzy Hash: 4631AAB4D052189FCF10DFA9D984AEEFBB4AB49324F14942AE815B7300CB35A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 5256, Parent PID: 3616COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	15

Executed Functions

Function 04E13E58 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04E13EC8
GetCurrentThread.KERNEL32 ref: 04E13F05
GetCurrentProcess.KERNEL32 ref: 04E13F42
GetCurrentThreadId.KERNEL32 ref: 04E13F9B

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1249138f3e861def4d44ace2cd6b924ef5f13eb8eef94b66a1cb3c68b61f4abc
Instruction ID: f9f840bf2453b231ef0a3dc1c591682fce8a0a77af0550abc137b41668b8bbc7
Opcode Fuzzy Hash: 1249138f3e861def4d44ace2cd6b924ef5f13eb8eef94b66a1cb3c68b61f4abc
Instruction Fuzzy Hash: 795144B09007498FEB14EFAAD5487EEBBF1EF49314F248559E409A73A0D734A844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04E13E68 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04E13EC8
GetCurrentThread.KERNEL32 ref: 04E13F05
GetCurrentProcess.KERNEL32 ref: 04E13F42
GetCurrentThreadId.KERNEL32 ref: 04E13F9B

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 641f7e7396f733243a99aebb79c58a2c042f4e3a68cbd04971a1e6f55c8227a5
Instruction ID: fceab16e10f7d11c72db85ba46690807cf4c0da47c3d095fe0956ac17cd707f4
Opcode Fuzzy Hash: 641f7e7396f733243a99aebb79c58a2c042f4e3a68cbd04971a1e6f55c8227a5
Instruction Fuzzy Hash: 835146B09013498FEB14EFAAC548BEEBBF0EB49314F248559E409B7360D734A944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04E184E0 Relevance: 1.8, APIs: 1, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd74bf3c71ef2823c8c9ad7dc7f8750d229aecd3be94c4bdac496f1b86f8a306
Instruction ID: 40bce0870c087645c1ad1b840388187374ae888e5bbb8442787be60d2bfc4d2c
Opcode Fuzzy Hash: cd74bf3c71ef2823c8c9ad7dc7f8750d229aecd3be94c4bdac496f1b86f8a306
Instruction Fuzzy Hash: CAC10775D093589FDB12CFA4C884AD9BFB1FF0A304F16909AE448AB262D7309999CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E11A28 Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04E11C9A

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e87282b699db8180e23b54af783ab94eec425e59de2eb91a6f220f5090141f2c
Instruction ID: 44584b81696e151c3a777f1721b5eb2f989e37b50f8fb00812a0e3a87c5c2c75
Opcode Fuzzy Hash: e87282b699db8180e23b54af783ab94eec425e59de2eb91a6f220f5090141f2c
Instruction Fuzzy Hash: 3791E370A00B098FDB24DF69D484A9AFBF1BF48308F04992AE546E7760E734E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E1862C Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04E187F9

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 517e422452f8ed3130cdd64db00367a6e6b70fbbb5d09389cdb4eb8a930ac520
Instruction ID: 13caee76b23921651e0ea62ef91f8b5b5a71550d250c7bc241fd683b1b4af183
Opcode Fuzzy Hash: 517e422452f8ed3130cdd64db00367a6e6b70fbbb5d09389cdb4eb8a930ac520
Instruction Fuzzy Hash: EA718BB4D00218DFDF20CFA9D984ADEBBF1BF09314F5491AAE408A7221D730AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04E18638 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04E187F9

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 883bf95afb2c6259ce9fb93964b251603924d4129f571663b2ad35f806ff73da
Instruction ID: 9e42c1e125f03ee8b3c7f680c6104333707e42381189c9c875aeedb4c63ab124
Opcode Fuzzy Hash: 883bf95afb2c6259ce9fb93964b251603924d4129f571663b2ad35f806ff73da
Instruction Fuzzy Hash: 60717BB4D00218DFDF20CFA9C984BDEBBF1BB09314F5491AAE408A7211D734AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0266BC88 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0266D5F9

Memory Dump Source

Source File: 00000018.00000002.426696497.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2660000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a4d9870a3323e676fb47b17e9a78fe453e666106341440557f6200cb24d9e318
Instruction ID: 7cdbfeeb5b746f34da152dd18f11fb23bdf4fd698b6035747ac3929d7913bfad
Opcode Fuzzy Hash: a4d9870a3323e676fb47b17e9a78fe453e666106341440557f6200cb24d9e318
Instruction Fuzzy Hash: B551E471D0421C8FEB20DFA4C944BDEBBB5BF55308F1180A9D509BB251DB71AA89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E14090 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04E1415B

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d83469a92ad2a9807a1404ac047d5092049aa3edf00d857990030de939607b65
Instruction ID: 9f783c37befe0596154928059cdd03197087ce94851d16b819e5db2d448b610c
Opcode Fuzzy Hash: d83469a92ad2a9807a1404ac047d5092049aa3edf00d857990030de939607b65
Instruction Fuzzy Hash: EE4166B9E002589FCF00CFA9D984ADEBBF5BB19314F14902AE918BB310D335A955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04E14088 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04E1415B

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a7ca0994bc4c513a1aca7fdea3b5ed54b5d547c651db0f436cbd66849d9c6e2
Instruction ID: 26871195f4892f17e57cd419631ce84ba6ae8f34dc0067875e59784a3b9b81f3
Opcode Fuzzy Hash: 8a7ca0994bc4c513a1aca7fdea3b5ed54b5d547c651db0f436cbd66849d9c6e2
Instruction Fuzzy Hash: 634175B9E002599FCF00CFA9D984ADEBBF5BB19314F14902AE918BB310D335AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02667E18 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02667EC7

Memory Dump Source

Source File: 00000018.00000002.426696497.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2660000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e8e1430bb028e5045c96bf161ed35704673981f9f60960c931b5cb292aca13b1
Instruction ID: 20596290346bd9bd696b487e70efc23e64ed39e863ccbbcfaf037dc1f7d44640
Opcode Fuzzy Hash: e8e1430bb028e5045c96bf161ed35704673981f9f60960c931b5cb292aca13b1
Instruction Fuzzy Hash: 7E3197B9D042589FCF10CFA9D984AEEFBF1AB09314F24902AE814B7350D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E11450 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04E11FC2

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f80a1e4f37fb4a5aa7cee7bfcab254cb284b11f657c0c233b4d86ecd83ee7ca
Instruction ID: 553df2be15adde5b26fe45e8020bd88124a54526d3b6515a65624e9e473a6f32
Opcode Fuzzy Hash: 8f80a1e4f37fb4a5aa7cee7bfcab254cb284b11f657c0c233b4d86ecd83ee7ca
Instruction Fuzzy Hash: AF4185B4D052589FDF10CFAAD884AAEFBF1BB49314F14902AE914BB220D334A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04E17BF4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E1AE61

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6d9db3e11ea8be142381a034fa1a53b715b80c1c44dcba996f24c53d343f1282
Instruction ID: f50c8596c0cc57219ebf877c972bc03cc7e4a17f54033a5d741916e1337c63ad
Opcode Fuzzy Hash: 6d9db3e11ea8be142381a034fa1a53b715b80c1c44dcba996f24c53d343f1282
Instruction Fuzzy Hash: 894115B4A00305CFDB14DF99C488AAABBF5FB88318F15C459D519AB321D774E881CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E11F10 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04E11FC2

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 46419700cd3ea7b9db739bd34a71accc8cc30ddfc5c12a605d9ae7b78be4f065
Instruction ID: 21bdc5190a43a71c874b503727e80385a65c2d9dfcdae8a33c18c456cc18008e
Opcode Fuzzy Hash: 46419700cd3ea7b9db739bd34a71accc8cc30ddfc5c12a605d9ae7b78be4f065
Instruction Fuzzy Hash: 8D4198B4D012599FDF10CFA9D884ADEFBF1BB49314F14906AE914BB220D334A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02667E20 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02667EC7

Memory Dump Source

Source File: 00000018.00000002.426696497.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2660000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a5a77d299cda5fb49dc666059238d0b78324a99ef4bf87ad7d7e62f45d139b27
Instruction ID: fd4e2a9718c55866b4581963a507800fd7e6b4c231199fd4d00aef0b82e0d501
Opcode Fuzzy Hash: a5a77d299cda5fb49dc666059238d0b78324a99ef4bf87ad7d7e62f45d139b27
Instruction Fuzzy Hash: C53177B9D042589FCB10CFA9D984AEEFBB1AB19314F14902AE814B7210D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04F38244 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 04F389CB

Memory Dump Source

Source File: 00000018.00000002.436057198.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4f30000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1462a7b9eb969304b5fc44c7d0da2bf9aa52eb39d67712f3d075e933cb3a61ab
Instruction ID: 1a2e66ff1f4f240496819ac02d67556eab73ead8bf19f63f843cf4b79470594c
Opcode Fuzzy Hash: 1462a7b9eb969304b5fc44c7d0da2bf9aa52eb39d67712f3d075e933cb3a61ab
Instruction Fuzzy Hash: 9C3187B9D05258AFCF10CFA9D884ADEFBF4AB49314F14902AE814BB310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E18958 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04E189EE

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cd4108ebc104dc6975e0bdd94437414e0b25804cc0823cb0628257f65d5bd3c7
Instruction ID: 3f9f705c2debb49e236353d9f467f2ce78f413b9829e8d3a631c690939d4c9ea
Opcode Fuzzy Hash: cd4108ebc104dc6975e0bdd94437414e0b25804cc0823cb0628257f65d5bd3c7
Instruction Fuzzy Hash: 9031A7B9D012589FCB10CFA9E984ADEFBF4BB09320F14952AE814B7350D335A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E11C08 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04E11C9A

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2cbfadf1f55936a42e99e1f83856e01c564c120755b4863019e52e3f2c7edd43
Instruction ID: 78cd3f10dc28b3d3d8ade42c212f3dab61e51feb73b09025a99c6f1e512fdd12
Opcode Fuzzy Hash: 2cbfadf1f55936a42e99e1f83856e01c564c120755b4863019e52e3f2c7edd43
Instruction Fuzzy Hash: C231B8B4D002599FCB14CFAAD884ADEFBF5BB49314F14906AE818B7320D334A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E18960 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04E189EE

Memory Dump Source

Source File: 00000018.00000002.435830680.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_dhcpmon.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ad941995d5a6d7dea8fea21caa51830dc12d0e1149fbd5ccd41c6349903c36b0
Instruction ID: 8b007fb4fa29d13fe54b77de4388537dc2a8dbeddda001f1e9d9da90b3808b5d
Opcode Fuzzy Hash: ad941995d5a6d7dea8fea21caa51830dc12d0e1149fbd5ccd41c6349903c36b0
Instruction Fuzzy Hash: 223195B9D012189FCB10CFA9D984ADEFBF4BB49310F14902AE818B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426031739.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d4d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815838b1d80a7441f73236a33fa5c3725bd3acc2de36a8411b5234e7e018ba6e
Instruction ID: 8c7bec79e4e543732e29b91b13af737a7af196021f5a8ac54feb641103d5b95e
Opcode Fuzzy Hash: 815838b1d80a7441f73236a33fa5c3725bd3acc2de36a8411b5234e7e018ba6e
Instruction Fuzzy Hash: 3B2137B2504240DFCF01DF14D9C0B2ABF66FB98328F28C5A9E9494B246C736D856CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426203283.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d5d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafce7154283767b408518f00cbe7de90cc3b771ba00c9422628ed0a4dd5a0fb
Instruction ID: c160e76bf1b5dfccffa645df4fbb42ceb1672a562a6dc7691ccecbd6ec461574
Opcode Fuzzy Hash: bafce7154283767b408518f00cbe7de90cc3b771ba00c9422628ed0a4dd5a0fb
Instruction Fuzzy Hash: FA21F2B1504340EFDF21DF20D9C0B26BBA6FB88319F24C5A9ED494B246C776D85ACA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426203283.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d5d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab64c67ccbe4842e78bd3f459e57b80f3da62ee5f789ce56d4ab8196ae4ba07
Instruction ID: 7f9f3f4c248f23ce02ed9e214d8780d4098289a1fa32e1797947b4e9f60628a8
Opcode Fuzzy Hash: 4ab64c67ccbe4842e78bd3f459e57b80f3da62ee5f789ce56d4ab8196ae4ba07
Instruction Fuzzy Hash: 85210371504240DFCF20DF28D5C0B26BB62EB84315F24C569DC494B286C336D85BCA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426203283.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d5d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d04d480a0c2e2b9a52e2a8a47981c5302faa1ab0e0e5f5fd66fee6c8502964e
Instruction ID: 43c3e8e712793deb7a7942b28da306492c231144642f1ac68c35cb036803835e
Opcode Fuzzy Hash: 8d04d480a0c2e2b9a52e2a8a47981c5302faa1ab0e0e5f5fd66fee6c8502964e
Instruction Fuzzy Hash: A5217F755093C08FCB12CF24D994715BF71EB46214F28C5EAD8498B6A7C33A980ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426031739.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d4d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: 6dfd76cb742d4d997cbeea327d835a2c6989d388e47876b92049c5661c145172
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: 8511E676504280CFCF11CF10D5C4B16BF72FB89324F28C6A9D8454B656C336D86ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426203283.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d5d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction ID: ec93ba83d84053b1a5a86d6fed97e6212502151da0dcad630e7034b6863aa93e
Opcode Fuzzy Hash: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction Fuzzy Hash: 97117975904280DFCB11DF10D5C4B15BBA2FB84324F28C6A9DC494B656C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426031739.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d4d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d9b90f5b39afd65b5c1ba0d3810b934082f03bf47f92c7bc14114c9ff36cd0
Instruction ID: 42228c5b8c7fff9efb40fd8558053bf0d6f207d0e2151e3f0e9c381b1effec98
Opcode Fuzzy Hash: b0d9b90f5b39afd65b5c1ba0d3810b934082f03bf47f92c7bc14114c9ff36cd0
Instruction Fuzzy Hash: E901F7714083449BEB108E25CD84B66BBD8DF41378F1CC55AE9064B246D379D840C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.426031739.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_d4d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3deed5ac73b8682f5f9cb16e4b491fdd6e0c020d18cb9f1f19432ffe9c0504
Instruction ID: 02a3bc5d89cdecb6ac0b3f4cbfbf1908ee423cd12622fc8082de0eac7e500612
Opcode Fuzzy Hash: ef3deed5ac73b8682f5f9cb16e4b491fdd6e0c020d18cb9f1f19432ffe9c0504
Instruction Fuzzy Hash: 90F04F714043849BEB108E15C888B62FB98EB91774F18C55AED095B286C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U7Ncg7oAyC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U7Ncg7oAyC.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ecs0lfa.ixf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsigrkao.tom.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1m3l4aa.d5i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5awvum2.yte.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mft4fmko.ytz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw5wzcbh.lxx.ps1

Windows Analysis Report
U7Ncg7oAyC.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre