Edit tour

Windows Analysis Report
4An07Q7I8G.exe

Overview

General Information

Sample Name:	4An07Q7I8G.exe
Original Sample Name:	b454c259c82c354cf5375ec490238507.exe
Analysis ID:	878387
MD5:	b454c259c82c354cf5375ec490238507
SHA1:	a0a3125c92df4657053f9001f38749a5d263471f
SHA256:	4188fbef59670a8fa8cee6a75514de835973823c58e66f6d5b622c695bd1ad07
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4An07Q7I8G.exe (PID: 5516 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 4900 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 5672 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

schtasks.exe (PID: 4700 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5724 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

4An07Q7I8G.exe (PID: 1252 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe 0 MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 5904 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3348 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3224 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3636 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 5724 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3956 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435b5:$a: NanoCore 0x4360e:$a: NanoCore 0x4364b:$a: NanoCore 0x436c4:$a: NanoCore 0x56d6f:$a: NanoCore 0x56d84:$a: NanoCore 0x56db9:$a: NanoCore 0x43617:$b: ClientPlugin 0x43654:$b: ClientPlugin 0x43f52:$b: ClientPlugin 0x43f5f:$b: ClientPlugin 0x56b2b:$b: ClientPlugin 0x56b46:$b: ClientPlugin 0x56b76:$b: ClientPlugin 0x56d8d:$b: ClientPlugin 0x56dc2:$b: ClientPlugin 0x56ca3:$c: ProjectData 0x43a9f:$g: LogClientMessage 0x43a1f:$i: get_Connected 0x575f2:$j: #=q 0x57622:$j: #=q
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4364b:$a1: NanoCore.ClientPluginHost 0x56db9:$a1: NanoCore.ClientPluginHost 0x4360e:$a2: NanoCore.ClientPlugin 0x56d84:$a2: NanoCore.ClientPlugin 0x439e2:$b1: get_BuilderSettings 0x5bcff:$b1: get_BuilderSettings 0x43699:$b4: IClientAppHost 0x43a53:$b6: AddHostEntry 0x43ac2:$b7: LogClientException 0x5bc6e:$b7: LogClientException 0x43a37:$b8: PipeExists 0x43686:$b9: IClientLoggingHost 0x56dd3:$b9: IClientLoggingHost
00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0xffb7:$b9: IClientLoggingHost
0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xda5:$a1: NanoCore.ClientPluginHost 0xd70:$a2: NanoCore.ClientPlugin 0xdbf:$b9: IClientLoggingHost
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6946b:$a: NanoCore 0x694c4:$a: NanoCore 0x69501:$a: NanoCore 0x6957a:$a: NanoCore 0x694cd:$b: ClientPlugin 0x6950a:$b: ClientPlugin 0x69e08:$b: ClientPlugin 0x69e15:$b: ClientPlugin 0x5f5e9:$e: KeepAlive 0x69955:$g: LogClientMessage 0x698d5:$i: get_Connected 0x598a1:$j: #=q 0x598d1:$j: #=q 0x5990d:$j: #=q 0x59935:$j: #=q 0x59965:$j: #=q 0x59995:$j: #=q 0x599c5:$j: #=q 0x599f5:$j: #=q 0x59a11:$j: #=q 0x59a41:$j: #=q
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x69501:$a1: NanoCore.ClientPluginHost 0x694c4:$a2: NanoCore.ClientPlugin 0x5addb:$b1: get_BuilderSettings 0x69898:$b1: get_BuilderSettings 0x6954f:$b4: IClientAppHost 0x69909:$b6: AddHostEntry 0x5ad4a:$b7: LogClientException 0x69978:$b7: LogClientException 0x698ed:$b8: PipeExists 0x6953c:$b9: IClientLoggingHost
00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x34ec:$a1: NanoCore.ClientPluginHost 0x34c7:$a2: NanoCore.ClientPlugin 0x34dd:$b4: IClientAppHost 0x79cc:$b7: LogClientException 0x3516:$b9: IClientLoggingHost
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x47465:$x1: NanoCore.ClientPluginHost 0x7a085:$x1: NanoCore.ClientPluginHost 0xacaa5:$x1: NanoCore.ClientPluginHost 0x474a2:$x2: IClientNetworkHost 0x7a0c2:$x2: IClientNetworkHost 0xacae2:$x2: IClientNetworkHost 0x4afd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7dbf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb0615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x471cd:$a: NanoCore 0x471dd:$a: NanoCore 0x47411:$a: NanoCore 0x47425:$a: NanoCore 0x47465:$a: NanoCore 0x79ded:$a: NanoCore 0x79dfd:$a: NanoCore 0x7a031:$a: NanoCore 0x7a045:$a: NanoCore 0x7a085:$a: NanoCore 0xac80d:$a: NanoCore 0xac81d:$a: NanoCore 0xaca51:$a: NanoCore 0xaca65:$a: NanoCore 0xacaa5:$a: NanoCore 0x4722c:$b: ClientPlugin 0x4742e:$b: ClientPlugin 0x4746e:$b: ClientPlugin 0x79e4c:$b: ClientPlugin 0x7a04e:$b: ClientPlugin 0x7a08e:$b: ClientPlugin
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x47465:$a1: NanoCore.ClientPluginHost 0x7a085:$a1: NanoCore.ClientPluginHost 0xacaa5:$a1: NanoCore.ClientPluginHost 0x47425:$a2: NanoCore.ClientPlugin 0x7a045:$a2: NanoCore.ClientPlugin 0xaca65:$a2: NanoCore.ClientPlugin 0x4937e:$b1: get_BuilderSettings 0x7bf9e:$b1: get_BuilderSettings 0xae9be:$b1: get_BuilderSettings 0x47281:$b2: ClientLoaderForm.resources 0x79ea1:$b2: ClientLoaderForm.resources 0xac8c1:$b2: ClientLoaderForm.resources 0x48a9e:$b3: PluginCommand 0x7b6be:$b3: PluginCommand 0xae0de:$b3: PluginCommand 0x47456:$b4: IClientAppHost 0x7a076:$b4: IClientAppHost 0xaca96:$b4: IClientAppHost 0x518d6:$b5: GetBlockHash 0x844f6:$b5: GetBlockHash 0xb6f16:$b5: GetBlockHash
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x693b3:$a: NanoCore 0x6940c:$a: NanoCore 0x69449:$a: NanoCore 0x694c2:$a: NanoCore 0x69415:$b: ClientPlugin 0x69452:$b: ClientPlugin 0x69d50:$b: ClientPlugin 0x69d5d:$b: ClientPlugin 0x5f531:$e: KeepAlive 0x6989d:$g: LogClientMessage 0x6981d:$i: get_Connected 0x597e9:$j: #=q 0x59819:$j: #=q 0x59855:$j: #=q 0x5987d:$j: #=q 0x598ad:$j: #=q 0x598dd:$j: #=q 0x5990d:$j: #=q 0x5993d:$j: #=q 0x59959:$j: #=q 0x59989:$j: #=q
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x69449:$a1: NanoCore.ClientPluginHost 0x6940c:$a2: NanoCore.ClientPlugin 0x5ad23:$b1: get_BuilderSettings 0x697e0:$b1: get_BuilderSettings 0x69497:$b4: IClientAppHost 0x69851:$b6: AddHostEntry 0x5ac92:$b7: LogClientException 0x698c0:$b7: LogClientException 0x69835:$b8: PipeExists 0x69484:$b9: IClientLoggingHost
Process Memory Space: 4An07Q7I8G.exe PID: 5516	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe591a:$x1: NanoCore.ClientPluginHost 0xe5957:$x2: IClientNetworkHost 0xe943f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf44bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10048a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10b810:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 4An07Q7I8G.exe PID: 5516	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 4An07Q7I8G.exe PID: 5516	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe55e7:$a: NanoCore 0xe55f7:$a: NanoCore 0xe56b6:$a: NanoCore 0xe56c5:$a: NanoCore 0xe58c6:$a: NanoCore 0xe58da:$a: NanoCore 0xe591a:$a: NanoCore 0xf0b27:$a: NanoCore 0xf0b39:$a: NanoCore 0xf0b75:$a: NanoCore 0xfcaf4:$a: NanoCore 0xfcb06:$a: NanoCore 0xfcb42:$a: NanoCore 0x107e7a:$a: NanoCore 0x107e8c:$a: NanoCore 0x107ec8:$a: NanoCore 0xe5646:$b: ClientPlugin 0xe570f:$b: ClientPlugin 0xe58e3:$b: ClientPlugin 0xe5923:$b: ClientPlugin 0xf0b42:$b: ClientPlugin
Process Memory Space: 4An07Q7I8G.exe PID: 5516	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe591a:$a1: NanoCore.ClientPluginHost 0xe58da:$a2: NanoCore.ClientPlugin 0xe77e8:$b1: get_BuilderSettings 0xe569b:$b2: ClientLoaderForm.resources 0xe6f08:$b3: PluginCommand 0xe590b:$b4: IClientAppHost 0xefd33:$b5: GetBlockHash 0xe7e40:$b6: AddHostEntry 0xf2f57:$b6: AddHostEntry 0xfef24:$b6: AddHostEntry 0x10a2aa:$b6: AddHostEntry 0xebb33:$b7: LogClientException 0xf6a98:$b7: LogClientException 0x102a65:$b7: LogClientException 0x10ddeb:$b7: LogClientException 0xe7dad:$b8: PipeExists 0xf2ecb:$b8: PipeExists 0xfee98:$b8: PipeExists 0x10a21e:$b8: PipeExists 0xe5944:$b9: IClientLoggingHost
Process Memory Space: 4An07Q7I8G.exe PID: 5672	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11336a:$a1: NanoCore.ClientPluginHost 0x113345:$a2: NanoCore.ClientPlugin 0x11335b:$b4: IClientAppHost 0x1177e4:$b7: LogClientException 0x113394:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 3224	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x22e5:$x1: NanoCore.ClientPluginHost 0x14af3:$x1: NanoCore.ClientPluginHost 0x36023:$x1: NanoCore.ClientPluginHost 0x22ff:$x2: IClientNetworkHost 0x14b30:$x2: IClientNetworkHost 0x3603d:$x2: IClientNetworkHost 0x1b310:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c2cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3224	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3224	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x224f:$a: NanoCore 0x22a8:$a: NanoCore 0x22e5:$a: NanoCore 0x235e:$a: NanoCore 0x2c17:$a: NanoCore 0x2c6a:$a: NanoCore 0x2ca3:$a: NanoCore 0x2d16:$a: NanoCore 0xa2e8:$a: NanoCore 0xa2fb:$a: NanoCore 0xa32d:$a: NanoCore 0x147c0:$a: NanoCore 0x147d0:$a: NanoCore 0x1488f:$a: NanoCore 0x1489e:$a: NanoCore 0x14a9f:$a: NanoCore 0x14ab3:$a: NanoCore 0x14af3:$a: NanoCore 0x16c66:$a: NanoCore 0x16c78:$a: NanoCore 0x16cb4:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3224	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x22e5:$a1: NanoCore.ClientPluginHost 0x14af3:$a1: NanoCore.ClientPluginHost 0x36023:$a1: NanoCore.ClientPluginHost 0x22a8:$a2: NanoCore.ClientPlugin 0x14ab3:$a2: NanoCore.ClientPlugin 0x35fe6:$a2: NanoCore.ClientPlugin 0x265f:$b1: get_BuilderSettings 0x169ca:$b1: get_BuilderSettings 0x2f75f:$b1: get_BuilderSettings 0x43826:$b1: get_BuilderSettings 0x14874:$b2: ClientLoaderForm.resources 0x160ea:$b3: PluginCommand 0x2333:$b4: IClientAppHost 0x14ae4:$b4: IClientAppHost 0x36071:$b4: IClientAppHost 0x26d0:$b6: AddHostEntry 0x36384:$b6: AddHostEntry 0x273f:$b7: LogClientException 0x2f6ce:$b7: LogClientException 0x43795:$b7: LogClientException 0x26b4:$b8: PipeExists
Process Memory Space: 4An07Q7I8G.exe PID: 5904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 4An07Q7I8G.exe PID: 5904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x244d:$a: NanoCore 0x2461:$a: NanoCore 0x27e4:$a: NanoCore 0x12c4f:$a: NanoCore 0x12c64:$a: NanoCore 0x12c99:$a: NanoCore 0x1400c:$a: NanoCore 0x1401f:$a: NanoCore 0x14051:$a: NanoCore 0x1beb6:$a: NanoCore 0x1fbaf:$a: NanoCore 0x1fc0a:$a: NanoCore 0x1fc7e:$a: NanoCore 0x35107:$a: NanoCore 0x35160:$a: NanoCore 0x3519d:$a: NanoCore 0x35216:$a: NanoCore 0x359a4:$a: NanoCore 0x359f7:$a: NanoCore 0x35a30:$a: NanoCore 0x35aa3:$a: NanoCore
Process Memory Space: 4An07Q7I8G.exe PID: 5904	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x12c99:$a1: NanoCore.ClientPluginHost 0x3519d:$a1: NanoCore.ClientPluginHost 0x12c64:$a2: NanoCore.ClientPlugin 0x35160:$a2: NanoCore.ClientPlugin 0x2e8d9:$b1: get_BuilderSettings 0x351eb:$b4: IClientAppHost 0x19ac1:$b5: GetBlockHash 0x6058:$b6: AddHostEntry 0x702d:$b6: AddHostEntry 0x354fe:$b6: AddHostEntry 0x159f6:$b7: LogClientException 0x169eb:$b7: LogClientException 0x2e848:$b7: LogClientException 0x5fc5:$b8: PipeExists 0x6fa1:$b8: PipeExists 0x354e2:$b8: PipeExists 0x12cb3:$b9: IClientLoggingHost 0x351d8:$b9: IClientLoggingHost
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.dhcpmon.exe.30d968c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.4An07Q7I8G.exe.40595f8.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0xd9c7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.45122d8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.4An07Q7I8G.exe.45122d8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c060c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c060c.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c060c.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x14610:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0x14623:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0x14631:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x144cd:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x14e1c:$j: #=q 0x14e4c:$j: #=q
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c060c.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x74ae0:$c: ProjectData 0xe2d00:$c: ProjectData 0x10a82:$d: DESCrypto
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x471ad:$x1: NanoCore.ClientPluginHost 0x79dcd:$x1: NanoCore.ClientPluginHost 0xac7ed:$x1: NanoCore.ClientPluginHost 0x471ea:$x2: IClientNetworkHost 0x79e0a:$x2: IClientNetworkHost 0xac82a:$x2: IClientNetworkHost 0x4ad1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7d93d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb035d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46f15:$x1: NanoCore Client 0x46f25:$x1: NanoCore Client 0x79b35:$x1: NanoCore Client 0x79b45:$x1: NanoCore Client 0xac555:$x1: NanoCore Client 0xac565:$x1: NanoCore Client 0x4716d:$x2: NanoCore.ClientPlugin 0x79d8d:$x2: NanoCore.ClientPlugin 0xac7ad:$x2: NanoCore.ClientPlugin 0x471ad:$x3: NanoCore.ClientPluginHost 0x79dcd:$x3: NanoCore.ClientPluginHost 0xac7ed:$x3: NanoCore.ClientPluginHost 0x47162:$i1: IClientApp 0x79d82:$i1: IClientApp 0xac7a2:$i1: IClientApp 0x47183:$i2: IClientData 0x79da3:$i2: IClientData 0xac7c3:$i2: IClientData 0x4718f:$i3: IClientNetwork 0x79daf:$i3: IClientNetwork 0xac7cf:$i3: IClientNetwork
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46f15:$a: NanoCore 0x46f25:$a: NanoCore 0x47159:$a: NanoCore 0x4716d:$a: NanoCore 0x471ad:$a: NanoCore 0x79b35:$a: NanoCore 0x79b45:$a: NanoCore 0x79d79:$a: NanoCore 0x79d8d:$a: NanoCore 0x79dcd:$a: NanoCore 0xac555:$a: NanoCore 0xac565:$a: NanoCore 0xac799:$a: NanoCore 0xac7ad:$a: NanoCore 0xac7ed:$a: NanoCore 0x46f74:$b: ClientPlugin 0x47176:$b: ClientPlugin 0x471b6:$b: ClientPlugin 0x79b94:$b: ClientPlugin 0x79d96:$b: ClientPlugin 0x79dd6:$b: ClientPlugin
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x471ad:$a1: NanoCore.ClientPluginHost 0x79dcd:$a1: NanoCore.ClientPluginHost 0xac7ed:$a1: NanoCore.ClientPluginHost 0x4716d:$a2: NanoCore.ClientPlugin 0x79d8d:$a2: NanoCore.ClientPlugin 0xac7ad:$a2: NanoCore.ClientPlugin 0x490c6:$b1: get_BuilderSettings 0x7bce6:$b1: get_BuilderSettings 0xae706:$b1: get_BuilderSettings 0x46fc9:$b2: ClientLoaderForm.resources 0x79be9:$b2: ClientLoaderForm.resources 0xac609:$b2: ClientLoaderForm.resources 0x487e6:$b3: PluginCommand 0x7b406:$b3: PluginCommand 0xade26:$b3: PluginCommand 0x4719e:$b4: IClientAppHost 0x79dbe:$b4: IClientAppHost 0xac7de:$b4: IClientAppHost 0x5161e:$b5: GetBlockHash 0x8423e:$b5: GetBlockHash 0xb6c5e:$b5: GetBlockHash
Click to see the 56 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\4An07Q7I8G.exe, ParentImage: C:\Users\user\Desktop\4An07Q7I8G.exe, ParentProcessId: 5672, ParentProcessName: 4An07Q7I8G.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, ProcessId: 4700, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971040322816718 05/30/23-16:40:13.977539
SID:	2816718
Source Port:	49710
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970540322816766 05/30/23-16:39:33.706408
SID:	2816766
Source Port:	49705
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971540322816766 05/30/23-16:40:50.973824
SID:	2816766
Source Port:	49715
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971840322816766 05/30/23-16:41:18.114338
SID:	2816766
Source Port:	49718
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972140322816766 05/30/23-16:41:38.417178
SID:	2816766
Source Port:	49721
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972740322816718 05/30/23-16:42:22.509655
SID:	2816718
Source Port:	49727
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970840322816766 05/30/23-16:40:00.413491
SID:	2816766
Source Port:	49708
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971140322816766 05/30/23-16:40:21.553606
SID:	2816766
Source Port:	49711
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497252841753 05/30/23-16:42:09.874096
SID:	2841753
Source Port:	4032
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971740322816718 05/30/23-16:41:08.713034
SID:	2816718
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497212810290 05/30/23-16:41:38.152963
SID:	2810290
Source Port:	4032
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497312841753 05/30/23-16:42:49.623506
SID:	2841753
Source Port:	4032
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497332841753 05/30/23-16:43:01.178074
SID:	2841753
Source Port:	4032
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972240322816766 05/30/23-16:41:46.251062
SID:	2816766
Source Port:	49722
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970640322816766 05/30/23-16:39:46.341150
SID:	2816766
Source Port:	49706
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971240322816766 05/30/23-16:40:27.702458
SID:	2816766
Source Port:	49712
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497072810290 05/30/23-16:39:52.215019
SID:	2810290
Source Port:	4032
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970740322816766 05/30/23-16:39:52.717055
SID:	2816766
Source Port:	49707
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971640322816766 05/30/23-16:41:00.324127
SID:	2816766
Source Port:	49716
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972640322816766 05/30/23-16:42:16.962875
SID:	2816766
Source Port:	49726
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973240322816766 05/30/23-16:42:56.061988
SID:	2816766
Source Port:	49732
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972340322816766 05/30/23-16:41:55.674302
SID:	2816766
Source Port:	49723
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971340322816766 05/30/23-16:40:34.783339
SID:	2816766
Source Port:	49713
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971040322816766 05/30/23-16:40:14.977403
SID:	2816766
Source Port:	49710
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971740322816766 05/30/23-16:41:08.713034
SID:	2816766
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972740322816766 05/30/23-16:42:23.748746
SID:	2816766
Source Port:	49727
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970440322816766 05/30/23-16:39:25.146472
SID:	2816766
Source Port:	49704
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971940322816766 05/30/23-16:41:24.254865
SID:	2816766
Source Port:	49719
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971440322816766 05/30/23-16:40:42.455969
SID:	2816766
Source Port:	49714
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970940322816766 05/30/23-16:40:08.035340
SID:	2816766
Source Port:	49709
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972040322816766 05/30/23-16:41:31.469338
SID:	2816766
Source Port:	49720
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972440322816766 05/30/23-16:42:04.621976
SID:	2816766
Source Port:	49724
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973040322816766 05/30/23-16:42:44.464795
SID:	2816766
Source Port:	49730
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972840322816766 05/30/23-16:42:31.313902
SID:	2816766
Source Port:	49728
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973440322816766 05/30/23-16:43:07.123160
SID:	2816766
Source Port:	49734
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: 4An07Q7I8G.exe	ReversingLabs: Detection: 24%
Source: 4An07Q7I8G.exe	Virustotal: Detection: 34%			Perma Link

Antivirus detection for URL or domain

Source: jasonbourneblack.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: jasonbourneblack.ddns.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 24%

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Machine Learning detection for sample

Source: 4An07Q7I8G.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 4An07Q7I8G.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4An07Q7I8G.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AxiBQ.pdb source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbSHA256 source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbS source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 4x nop then jmp 07AB9A25h
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 4x nop then jmp 06F89A25h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06879A25h

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49704 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49705 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49706 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 141.98.6.167:4032 -> 192.168.2.7:49707
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49707 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49708 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49709 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49710 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49710 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49711 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49712 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49713 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49714 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49715 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49716 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49717 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49717 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49718 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49719 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49720 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 141.98.6.167:4032 -> 192.168.2.7:49721
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49721 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49722 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49723 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49724 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49725
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49726 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49727 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49727 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49728 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49730 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49731
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49732 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49733
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49734 -> 141.98.6.167:4032

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: jasonbourneblack.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: jasonbourneblack.ddns.net

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 141.98.6.167:4032

Source: 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikip
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 4An07Q7I8G.exe, 00000000.00000003.352081387.0000000006252000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 4An07Q7I8G.exe, 00000000.00000003.355660959.0000000006286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersN
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comts
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 4An07Q7I8G.exe, 00000000.00000003.351944589.0000000006242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: 4An07Q7I8G.exe, 00000000.00000003.351720872.000000000624A000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.351851946.000000000624A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/SCz
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 4An07Q7I8G.exe, 00000000.00000003.358467096.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/-
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 4An07Q7I8G.exe, 00000000.00000003.348952309.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349006793.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349107893.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349149259.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349055971.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.348875232.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349026832.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349081700.0000000006264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comFUw
Source: 4An07Q7I8G.exe, 00000000.00000003.354701779.0000000006286000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.354764386.0000000006286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 4An07Q7I8G.exe, 00000000.00000003.349978172.0000000006243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net-t
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: jasonbourneblack.ddns.net

Source: 4An07Q7I8G.exe, 00000000.00000002.366438687.00000000014E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: 4An07Q7I8G.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315C284
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315E650
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315E640
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB8E58
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB8E4D
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB04F0
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB2430
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB1020
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB0040
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AC284
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AE640
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AE650
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F8AEE8
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F88E58
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F804F0
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F82430
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F80040
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F81020
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F88E48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8C284
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8E650
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8E640
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06878E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_068704F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06872430
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06871020
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06870040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF5410
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF8E11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFBB06
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF58CE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF9990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFE6F9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF95A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF95B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF0006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFE050
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1AC5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1828
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1817
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1AC8

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process Stats: CPU usage > 98%

Source: 4An07Q7I8G.exe, 00000000.00000002.386674839.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.366438687.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000000.346160675.000000000100C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.367447161.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.400346227.0000000003E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.400346227.0000000003E82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.394868341.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.398108722.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004058000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.425979907.0000000001079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004071000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe

Source: 4An07Q7I8G.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4An07Q7I8G.exe	ReversingLabs: Detection: 24%
Source: 4An07Q7I8G.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File read: C:\Users\user\Desktop\4An07Q7I8G.exe

Jump to behavior

Source: 4An07Q7I8G.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/11@32/1

Source: 4An07Q7I8G.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_01
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{540c4d56-ad4d-4ca4-9f9f-305dba1da640}

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4An07Q7I8G.exe, 00000000.00000003.354914939.000000000625A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Kristen is a Trademark of International Typeface Corporation.slnt

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: 4An07Q7I8G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4An07Q7I8G.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 4An07Q7I8G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AxiBQ.pdb source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbSHA256 source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbS source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 4An07Q7I8G.exe, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.4An07Q7I8G.exe.f50000.0.unpack, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB5600 pushad ; iretd
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F85600 pushad ; iretd
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F87FFA push es; retf
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F87F09 push es; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06875600 pushad ; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06877B6B push es; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFC2A0 push esp; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFB0C3 push eax; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFB0C0 pushad ; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.701181340859135
Source: initial sample	Static PE information: section name: .text entropy: 7.701181340859135

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File opened: C:\Users\user\Desktop\4An07Q7I8G.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 2400	Thread sleep time: -41202s >= -30000s
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 6920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 324	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 1184	Thread sleep time: -41202s >= -30000s
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 3424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2948	Thread sleep time: -41202s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2200	Thread sleep time: -41202s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4012	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: threadDelayed 9254
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: foregroundWindowGot 825
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: foregroundWindowGot 700

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 41202
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 41202
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Memory written: C:\Users\user\Desktop\4An07Q7I8G.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Memory written: C:\Users\user\Desktop\4An07Q7I8G.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: 4An07Q7I8G.exe, 00000002.00000003.615288362.00000000037BF000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000002.00000003.615288362.0000000003798000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000002.00000003.615288362.0000000003745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 4An07Q7I8G.exe, 00000002.00000003.615288362.00000000037BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager g4

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: 4An07Q7I8G.exe, 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	21 Input Capture	11 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4An07Q7I8G.exe	24%	ReversingLabs	Win32.Trojan.Pwsx
4An07Q7I8G.exe	35%	Virustotal		Browse
4An07Q7I8G.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	24%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
jasonbourneblack.ddns.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn&	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/SCz	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/-	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comts	0%	Avira URL Cloud	safe
http://www.typography.net-t	0%	Avira URL Cloud	safe
jasonbourneblack.ddns.net	100%	Avira URL Cloud	malware
http://www.galapagosdesign.com/-	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comFUw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jasonbourneblack.ddns.net	141.98.6.167	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jasonbourneblack.ddns.net	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	4An07Q7I8G.exe, 00000000.00000003.352081387.0000000006252000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comts	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wikip	4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersN	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/-	4An07Q7I8G.exe, 00000000.00000003.358467096.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.typography.netD	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comm	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.net-t	4An07Q7I8G.exe, 00000000.00000003.349978172.0000000006243000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/SCz	4An07Q7I8G.exe, 00000000.00000003.351720872.000000000624A000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.351851946.000000000624A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn&	4An07Q7I8G.exe, 00000000.00000003.351944589.0000000006242000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	4An07Q7I8G.exe, 00000000.00000003.354701779.0000000006286000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.354764386.0000000006286000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	4An07Q7I8G.exe, 00000000.00000003.355660959.0000000006286000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comFUw	4An07Q7I8G.exe, 00000000.00000003.348952309.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349006793.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349107893.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349149259.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349055971.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.348875232.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349026832.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349081700.0000000006264000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.6.167	jasonbourneblack.ddns.net	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878387
Start date and time:	2023-05-30 16:38:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	4An07Q7I8G.exe
Original Sample Name:	b454c259c82c354cf5375ec490238507.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/11@32/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:39:11	API Interceptor	1849x Sleep call for process: 4An07Q7I8G.exe modified
16:39:16	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\4An07Q7I8G.exe" s>$(Arg0)
16:39:16	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:39:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:39:24	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	782336
Entropy (8bit):	7.670020600922918
Encrypted:	false
SSDEEP:	12288:zPRP2B0xTGlxNqvNu2hZ+nUEsn9iwx241iWKWHy4x7Qm7MFPkhTYZHqX1kEao0JQ:zZPLaVUH999V20iWKW33IPGT0G1kEaTy
MD5:	B454C259C82C354CF5375EC490238507
SHA1:	A0A3125C92DF4657053F9001F38749A5D263471F
SHA-256:	4188FBEF59670A8FA8CEE6A75514DE835973823C58E66F6D5B622C695BD1AD07
SHA-512:	959685935CD0B6A6BA6A23A2E1BAFF1D1119B5EED401852173EBD0E1A9A6B5A7B350010F27BFB7C1742D11BE01DC84E283BD21F2E64FB1BD33CF3167C7FE654A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{Sud..............0......P......J.... ........@.. ....................... ............@.....................................O.......<:.............................T............................................ ............... ..H............text...P.... ...................... ..`.rsrc...<:.......@..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.115647572660457
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mSxtn:cbk4oL600QydbQxIYODOLedq3Uj
MD5:	1DDB387C3D6CBA069AACAB109BD51E64
SHA1:	8D8BC1D64B435E009B65674A5FC18202976AC4DC
SHA-256:	9E22400F410B4D6556DA1E47AAC6E740BDDB9BBF54EC672317516D227BC8C05B
SHA-512:	CC61745804FCF1717A3C71224FF1076351749B0A6D25058A5FA3E9B239C828F8E04D48E963D670E157BF161EA84EBC1D0969E8A987AA299E61DF6F3707E502A0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:ExC9:V
MD5:	F5560F152CDF86389BC12DF27D0AB13E
SHA1:	0AC7E5A1020C73D9E8D5EBB670F4010626D946AD
SHA-256:	A44CC5DBFA8C587AE50220A2E855BC22372B475375AE594695BF92B55F24C53B
SHA-512:	C8F181435AF609BDD45423E2AB74589A0F54393F682A1341E506966E2C0598A3650CC730EBC408F4D97D4481ADB74F13E33745CFDB70D342B03CC60B1FAAE938
Malicious:	true
Preview:	k{g.ga.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.39146321255865
Encrypted:	false
SSDEEP:	3:oN0naRRRkL40SsdiLAC:oNcSRCQsgLN
MD5:	BD43240CB9E3E459B9C2985C27CB8FAB
SHA1:	AC9A4D13C5BE671980909A49E420A9D1C7000514
SHA-256:	47371587121EA0B8D8246C94BC5FA50C31FBF1361F7AAFB357501C00AF670F94
SHA-512:	F96A8ED5804BDB9B1DC4D318825F67CA634FD31DC7AC7858F20E6553B08FB38C28F43CB09A50D8B23C507F47A9D687D045D8E6F24A3CEEC90464D0C3E77D6574
Malicious:	false
Preview:	C:\Users\user\Desktop\4An07Q7I8G.exe

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.670020600922918
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	4An07Q7I8G.exe
File size:	782336
MD5:	b454c259c82c354cf5375ec490238507
SHA1:	a0a3125c92df4657053f9001f38749a5d263471f
SHA256:	4188fbef59670a8fa8cee6a75514de835973823c58e66f6d5b622c695bd1ad07
SHA512:	959685935cd0b6a6ba6a23a2e1baff1d1119b5eed401852173ebd0e1a9a6b5a7b350010f27bfb7c1742d11be01dc84e283bd21f2e64fb1bd33cf3167c7fe654a
SSDEEP:	12288:zPRP2B0xTGlxNqvNu2hZ+nUEsn9iwx241iWKWHy4x7Qm7MFPkhTYZHqX1kEao0JQ:zZPLaVUH999V20iWKW33IPGT0G1kEaTy
TLSH:	55F422287B57802FD5831BB408D87B7560FD82DAB872E7231E5792D9DB6BF096802317
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{Sud..............0......P......J.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	94969edbd9f8d9c6

Static PE Info

General

Entrypoint:	0x4ba54a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6475537B [Tue May 30 01:38:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba4f8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x3a3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb94c8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb8550	0xb9000	False	0.9298313450168919	data	7.701181340859135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x3a3c	0x4000	False	0.8494873046875	data	7.3969246343448285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x1000	False	0.0087890625	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbc0c8	0x36fd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xbf7d8	0x14	data
RT_VERSION	0xbf7fc	0x23c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7141.98.6.1674971040322816718 05/30/23-16:40:13.977539	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49710	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970540322816766 05/30/23-16:39:33.706408	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971540322816766 05/30/23-16:40:50.973824	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971840322816766 05/30/23-16:41:18.114338	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49718	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972140322816766 05/30/23-16:41:38.417178	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49721	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972740322816718 05/30/23-16:42:22.509655	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49727	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970840322816766 05/30/23-16:40:00.413491	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971140322816766 05/30/23-16:40:21.553606	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497252841753 05/30/23-16:42:09.874096	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49725	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674971740322816718 05/30/23-16:41:08.713034	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49717	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497212810290 05/30/23-16:41:38.152963	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	4032	49721	141.98.6.167	192.168.2.7
141.98.6.167192.168.2.74032497312841753 05/30/23-16:42:49.623506	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49731	141.98.6.167	192.168.2.7
141.98.6.167192.168.2.74032497332841753 05/30/23-16:43:01.178074	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49733	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674972240322816766 05/30/23-16:41:46.251062	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49722	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970640322816766 05/30/23-16:39:46.341150	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971240322816766 05/30/23-16:40:27.702458	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497072810290 05/30/23-16:39:52.215019	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	4032	49707	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674970740322816766 05/30/23-16:39:52.717055	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971640322816766 05/30/23-16:41:00.324127	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972640322816766 05/30/23-16:42:16.962875	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49726	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973240322816766 05/30/23-16:42:56.061988	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49732	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972340322816766 05/30/23-16:41:55.674302	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971340322816766 05/30/23-16:40:34.783339	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971040322816766 05/30/23-16:40:14.977403	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971740322816766 05/30/23-16:41:08.713034	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972740322816766 05/30/23-16:42:23.748746	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49727	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970440322816766 05/30/23-16:39:25.146472	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971940322816766 05/30/23-16:41:24.254865	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49719	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971440322816766 05/30/23-16:40:42.455969	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970940322816766 05/30/23-16:40:08.035340	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972040322816766 05/30/23-16:41:31.469338	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972440322816766 05/30/23-16:42:04.621976	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49724	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973040322816766 05/30/23-16:42:44.464795	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49730	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972840322816766 05/30/23-16:42:31.313902	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49728	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973440322816766 05/30/23-16:43:07.123160	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49734	4032	192.168.2.7	141.98.6.167

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 16:39:22.476109982 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.503236055 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.503346920 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.857084036 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.934726954 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.956017017 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.999768019 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.031047106 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.143770933 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.223859072 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285304070 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285352945 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285381079 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285412073 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.285414934 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285468102 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.317507029 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.317559004 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.317723989 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.350073099 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379556894 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379605055 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379625082 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379645109 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379682064 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379728079 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379739046 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379745960 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379748106 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379757881 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379801035 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379825115 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408036947 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408082008 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408102036 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408109903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408127069 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408138990 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408157110 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408157110 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408170938 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408216000 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408308983 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.434542894 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434588909 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434614897 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434638977 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434649944 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.434663057 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434695005 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461402893 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461447001 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461464882 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461474895 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461499929 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461512089 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461528063 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461565971 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488554955 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488667011 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488687992 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488706112 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488725901 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488734961 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488745928 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488759041 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488765001 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488782883 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.515285015 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515317917 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515336037 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515350103 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515362978 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515382051 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515399933 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515427113 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.515456915 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.541888952 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541934013 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541963100 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541990042 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541990995 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542016983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542037010 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542068005 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542093992 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542109966 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542129993 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542179108 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569458961 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569509983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569547892 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569580078 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569582939 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569618940 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569627047 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569664955 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569695950 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569700003 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569727898 CEST	4032	49704	141.98.6.167	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 16:39:22.362440109 CEST	50505	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:22.397989988 CEST	53	50505	8.8.8.8	192.168.2.7
May 30, 2023 16:39:32.605612040 CEST	61178	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:32.632709026 CEST	53	61178	8.8.8.8	192.168.2.7
May 30, 2023 16:39:44.354666948 CEST	63926	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:44.381418943 CEST	53	63926	8.8.8.8	192.168.2.7
May 30, 2023 16:39:51.504729986 CEST	53336	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:51.524482012 CEST	53	53336	8.8.8.8	192.168.2.7
May 30, 2023 16:39:59.729190111 CEST	51007	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:59.757992983 CEST	53	51007	8.8.8.8	192.168.2.7
May 30, 2023 16:40:05.948673964 CEST	50513	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:05.983731985 CEST	53	50513	8.8.8.8	192.168.2.7
May 30, 2023 16:40:13.588737011 CEST	60765	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:13.617819071 CEST	53	60765	8.8.8.8	192.168.2.7
May 30, 2023 16:40:20.004285097 CEST	58283	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:20.033102036 CEST	53	58283	8.8.8.8	192.168.2.7
May 30, 2023 16:40:26.547569990 CEST	50024	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:26.576658964 CEST	53	50024	8.8.8.8	192.168.2.7
May 30, 2023 16:40:33.111949921 CEST	49516	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:33.140515089 CEST	53	49516	8.8.8.8	192.168.2.7
May 30, 2023 16:40:40.637732029 CEST	62679	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:40.672013998 CEST	53	62679	8.8.8.8	192.168.2.7
May 30, 2023 16:40:48.904197931 CEST	61392	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:48.938972950 CEST	53	61392	8.8.8.8	192.168.2.7
May 30, 2023 16:40:58.416053057 CEST	52104	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:58.444981098 CEST	53	52104	8.8.8.8	192.168.2.7
May 30, 2023 16:41:06.952166080 CEST	65356	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:06.980006933 CEST	53	65356	8.8.8.8	192.168.2.7
May 30, 2023 16:41:14.907988071 CEST	59006	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:14.936583042 CEST	53	59006	8.8.8.8	192.168.2.7
May 30, 2023 16:41:23.494816065 CEST	51526	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:23.529709101 CEST	53	51526	8.8.8.8	192.168.2.7
May 30, 2023 16:41:29.957299948 CEST	51139	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:29.972347975 CEST	53	51139	8.8.8.8	192.168.2.7
May 30, 2023 16:41:37.741357088 CEST	58784	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:37.776343107 CEST	53	58784	8.8.8.8	192.168.2.7
May 30, 2023 16:41:44.572515011 CEST	57970	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:44.593158960 CEST	53	57970	8.8.8.8	192.168.2.7
May 30, 2023 16:41:52.146033049 CEST	64608	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:52.180840969 CEST	53	64608	8.8.8.8	192.168.2.7
May 30, 2023 16:42:03.454895973 CEST	58746	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:03.474879026 CEST	53	58746	8.8.8.8	192.168.2.7
May 30, 2023 16:42:09.789836884 CEST	62433	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:09.810009956 CEST	53	62433	8.8.8.8	192.168.2.7
May 30, 2023 16:42:15.086165905 CEST	61248	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:15.122503996 CEST	53	61248	8.8.8.8	192.168.2.7
May 30, 2023 16:42:22.159080982 CEST	52750	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:22.179284096 CEST	53	52750	8.8.8.8	192.168.2.7
May 30, 2023 16:42:29.186521053 CEST	64078	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:29.221518040 CEST	53	64078	8.8.8.8	192.168.2.7
May 30, 2023 16:42:36.934360027 CEST	50231	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:36.960967064 CEST	53	50231	8.8.8.8	192.168.2.7
May 30, 2023 16:42:43.045001984 CEST	58514	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:43.072479010 CEST	53	58514	8.8.8.8	192.168.2.7
May 30, 2023 16:42:49.527162075 CEST	51436	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:49.555417061 CEST	53	51436	8.8.8.8	192.168.2.7
May 30, 2023 16:42:54.530867100 CEST	59053	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:54.559801102 CEST	53	59053	8.8.8.8	192.168.2.7
May 30, 2023 16:43:01.091682911 CEST	51945	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:01.120343924 CEST	53	51945	8.8.8.8	192.168.2.7
May 30, 2023 16:43:06.156100035 CEST	63187	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:06.191737890 CEST	53	63187	8.8.8.8	192.168.2.7
May 30, 2023 16:43:12.186599016 CEST	64760	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:12.201931953 CEST	53	64760	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 30, 2023 16:39:22.362440109 CEST	192.168.2.7	8.8.8.8	0xf453	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:32.605612040 CEST	192.168.2.7	8.8.8.8	0x5e7e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:44.354666948 CEST	192.168.2.7	8.8.8.8	0xa8f2	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:51.504729986 CEST	192.168.2.7	8.8.8.8	0xae94	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:59.729190111 CEST	192.168.2.7	8.8.8.8	0x338a	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:05.948673964 CEST	192.168.2.7	8.8.8.8	0x8320	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:13.588737011 CEST	192.168.2.7	8.8.8.8	0x3578	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:20.004285097 CEST	192.168.2.7	8.8.8.8	0xd4de	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:26.547569990 CEST	192.168.2.7	8.8.8.8	0xe4f9	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:33.111949921 CEST	192.168.2.7	8.8.8.8	0xd2fe	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:40.637732029 CEST	192.168.2.7	8.8.8.8	0x8d6e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:48.904197931 CEST	192.168.2.7	8.8.8.8	0x24e7	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:58.416053057 CEST	192.168.2.7	8.8.8.8	0x8d7b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:06.952166080 CEST	192.168.2.7	8.8.8.8	0xff49	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:14.907988071 CEST	192.168.2.7	8.8.8.8	0x43f4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:23.494816065 CEST	192.168.2.7	8.8.8.8	0x71ba	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:29.957299948 CEST	192.168.2.7	8.8.8.8	0x135e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:37.741357088 CEST	192.168.2.7	8.8.8.8	0x668b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:44.572515011 CEST	192.168.2.7	8.8.8.8	0xeba5	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:52.146033049 CEST	192.168.2.7	8.8.8.8	0xf4e8	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:03.454895973 CEST	192.168.2.7	8.8.8.8	0x7d3b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:09.789836884 CEST	192.168.2.7	8.8.8.8	0xf20	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:15.086165905 CEST	192.168.2.7	8.8.8.8	0x4758	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:22.159080982 CEST	192.168.2.7	8.8.8.8	0xe248	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:29.186521053 CEST	192.168.2.7	8.8.8.8	0x1496	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:36.934360027 CEST	192.168.2.7	8.8.8.8	0xf282	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:43.045001984 CEST	192.168.2.7	8.8.8.8	0xa5c9	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:49.527162075 CEST	192.168.2.7	8.8.8.8	0x7be4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:54.530867100 CEST	192.168.2.7	8.8.8.8	0x4051	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:01.091682911 CEST	192.168.2.7	8.8.8.8	0xf734	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:06.156100035 CEST	192.168.2.7	8.8.8.8	0xdbc4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:12.186599016 CEST	192.168.2.7	8.8.8.8	0x622a	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 30, 2023 16:39:22.397989988 CEST	8.8.8.8	192.168.2.7	0xf453	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:32.632709026 CEST	8.8.8.8	192.168.2.7	0x5e7e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:44.381418943 CEST	8.8.8.8	192.168.2.7	0xa8f2	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:51.524482012 CEST	8.8.8.8	192.168.2.7	0xae94	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:59.757992983 CEST	8.8.8.8	192.168.2.7	0x338a	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:05.983731985 CEST	8.8.8.8	192.168.2.7	0x8320	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:13.617819071 CEST	8.8.8.8	192.168.2.7	0x3578	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:20.033102036 CEST	8.8.8.8	192.168.2.7	0xd4de	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:26.576658964 CEST	8.8.8.8	192.168.2.7	0xe4f9	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:33.140515089 CEST	8.8.8.8	192.168.2.7	0xd2fe	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:40.672013998 CEST	8.8.8.8	192.168.2.7	0x8d6e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:48.938972950 CEST	8.8.8.8	192.168.2.7	0x24e7	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:58.444981098 CEST	8.8.8.8	192.168.2.7	0x8d7b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:06.980006933 CEST	8.8.8.8	192.168.2.7	0xff49	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:14.936583042 CEST	8.8.8.8	192.168.2.7	0x43f4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:23.529709101 CEST	8.8.8.8	192.168.2.7	0x71ba	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:29.972347975 CEST	8.8.8.8	192.168.2.7	0x135e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:37.776343107 CEST	8.8.8.8	192.168.2.7	0x668b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:44.593158960 CEST	8.8.8.8	192.168.2.7	0xeba5	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:52.180840969 CEST	8.8.8.8	192.168.2.7	0xf4e8	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:03.474879026 CEST	8.8.8.8	192.168.2.7	0x7d3b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:09.810009956 CEST	8.8.8.8	192.168.2.7	0xf20	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:15.122503996 CEST	8.8.8.8	192.168.2.7	0x4758	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:22.179284096 CEST	8.8.8.8	192.168.2.7	0xe248	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:29.221518040 CEST	8.8.8.8	192.168.2.7	0x1496	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:36.960967064 CEST	8.8.8.8	192.168.2.7	0xf282	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:43.072479010 CEST	8.8.8.8	192.168.2.7	0xa5c9	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:49.555417061 CEST	8.8.8.8	192.168.2.7	0x7be4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:54.559801102 CEST	8.8.8.8	192.168.2.7	0x4051	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:01.120343924 CEST	8.8.8.8	192.168.2.7	0xf734	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:06.191737890 CEST	8.8.8.8	192.168.2.7	0xdbc4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:12.201931953 CEST	8.8.8.8	192.168.2.7	0x622a	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:39:04
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xf50000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: 4An07Q7I8G.exePID: 4900, Parent PID: 5516

General

Target ID:	1
Start time:	16:39:13
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0x230000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: 4An07Q7I8G.exePID: 5672, Parent PID: 5516

General

Target ID:	2
Start time:	16:39:13
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xd80000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 4700, Parent PID: 5672

General

Target ID:	3
Start time:	16:39:15
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Imagebase:	0x360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4036, Parent PID: 4700

General

Target ID:	4
Start time:	16:39:15
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5724, Parent PID: 5672

General

Target ID:	5
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Imagebase:	0x360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2028, Parent PID: 5724

General

Target ID:	6
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 4An07Q7I8G.exePID: 1252, Parent PID: 1100

General

Target ID:	7
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe 0
Imagebase:	0x820000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: dhcpmon.exePID: 3348, Parent PID: 1100

General

Target ID:	8
Start time:	16:39:17
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x100000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exePID: 3224, Parent PID: 3348

General

Target ID:	9
Start time:	16:39:26
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xce0000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: 4An07Q7I8G.exePID: 5904, Parent PID: 1252

General

Target ID:	10
Start time:	16:39:26
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xb60000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 3636, Parent PID: 3320

General

Target ID:	11
Start time:	16:39:27
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x160000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: dhcpmon.exePID: 5724, Parent PID: 3636

General

Target ID:	12
Start time:	16:39:35
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x390000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 3956, Parent PID: 3636

General

Target ID:	13
Start time:	16:39:35
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xcd0000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4An07Q7I8G.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Windows Analysis Report
4An07Q7I8G.exe