36.0.0 Rainbow Opal
IR
711673
CloudBasic
12:03:48
28/09/2022
attached PI.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
238b41e834f3b663584d4788493bc75f
006efa65c3a4c5b4ee2402ab5e6d789fc95e0b9c
e0b3c7281dd3488df3c71ee35dde8fe321e5aae4d3f200d2f63dfef64a97daff
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
238B41E834F3B663584D4788493BC75F
006EFA65C3A4C5B4EE2402AB5E6D789FC95E0B9C
E0B3C7281DD3488DF3C71EE35DDE8FE321E5AAE4D3F200D2F63DFEF64A97DAFF
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\attached PI.exe.log
true
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Temp\tmp6181.tmp
false
D44529740ECFF6AE70C76D0A3C410D4C
4F89B46804F9DD3C912F1339E67A47F17CC71889
A53275C1E247E1D887956DBDE3C9CA1AAA72269BD65D9A2A2D4F31CF36D67491
C:\Users\user\AppData\Local\Temp\tmp6CEB.tmp
false
D44529740ECFF6AE70C76D0A3C410D4C
4F89B46804F9DD3C912F1339E67A47F17CC71889
A53275C1E247E1D887956DBDE3C9CA1AAA72269BD65D9A2A2D4F31CF36D67491
C:\Users\user\AppData\Local\Temp\tmp8C89.tmp
false
D44529740ECFF6AE70C76D0A3C410D4C
4F89B46804F9DD3C912F1339E67A47F17CC71889
A53275C1E247E1D887956DBDE3C9CA1AAA72269BD65D9A2A2D4F31CF36D67491
C:\Users\user\AppData\Local\Temp\tmpD63A.tmp
false
05CB9D147938E4D615808C78EC195503
CEC5B9AF5ADCE5DF733B630917C2FA999C806019
7D3AB0C2A42695005C8E1B42350AE0DDB7376F3CA12F2E4DDA3701FE53AB8FD6
C:\Users\user\AppData\Local\Temp\tmpD9B5.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmpE760.tmp
true
D44529740ECFF6AE70C76D0A3C410D4C
4F89B46804F9DD3C912F1339E67A47F17CC71889
A53275C1E247E1D887956DBDE3C9CA1AAA72269BD65D9A2A2D4F31CF36D67491
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
6A2D94F5982D067BF2A1AB36640A7E5E
6F5ABF73D95734947FF9C95EBC4F8F58665D8B31
0D0B21D2A7CE3DB3F754897DBF994F8C0F04BD005D5F013143450F1DB032E41E
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
AF41AEE5DDE3AEBD95B39C61F92F2814
B513EE3B2578182B7AA3A0AB5D71B4698A2B82F2
C4E0DFFF3F4206C47C3D8893BADA97A68D5236D75ADE3947D5B09A2D8C0F2D00
C:\Users\user\AppData\Roaming\ecCUXmnB.exe
true
238B41E834F3B663584D4788493BC75F
006EFA65C3A4C5B4EE2402AB5E6D789FC95E0B9C
E0B3C7281DD3488DF3C71EE35DDE8FE321E5AAE4D3F200D2F63DFEF64A97DAFF
171.22.30.170
brightnano1.ddns.net
true
171.22.30.170
true
http://www.fontbureau.comF2muP
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
http://en.wI
false
unknown
http://www.sandoll.co.krendDo;P
false
unknown
http://www.fontbureau.comals)m
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.fontbureau.comaen
false
unknown
http://www.tiro.com
false
unknown
http://www.fontbureau.comnn
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.fontbureau.comtoed
false
unknown
http://www.goodfont.co.kr
false
unknown
http://google.com
false
unknown
http://www.fontbureau.comFVm)P
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
http://fontfabrik.com
false
unknown
http://www.tiro.comn7OgPF
false
unknown
http://www.sandoll.co.krntaD/
false
unknown
http://www.fontbureau.comTTFd_m
false
unknown
http://www.fontbureau.comL.TTF;mzP
false
unknown
http://www.fontbureau.com/
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.urwpp.de
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.fonts.com(O
false
unknown
http://www.sakkal.com
false
unknown
http://www.tiro.comSO
false
unknown
brightnano1.ddns.net
true
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.fontbureau.comF
false
unknown
http://www.fonts.come
false
unknown
http://www.fonts.comn-u
false
unknown
http://www.sajatypeworks.comn-uX0
false
unknown
http://www.urwpp.deF
false
unknown
http://www.fontbureau.comd
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.founder.com.cn/cn/
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-user.html
false
unknown
http://www.fontbureau.comsiefMm
false
unknown
http://www.fontbureau.com/designers/cabarga.html
false
unknown
http://www.jiyu-kobo.co.jp/
false
unknown
http://www.fontbureau.como
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.fontbureau.com/deDn:Pg
false
unknown
http://www.fontbureau.comals
false
unknown
http://www.founder.com.cn/cn/-
false
unknown
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Yara detected AntiVM3
Machine Learning detection for sample
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Scheduled temp file as task from temp location
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT
Snort IDS alert for network traffic