Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice# 77-83992-8297382 (2).exe

Overview

General Information

Sample Name:Invoice# 77-83992-8297382 (2).exe
Analysis ID:339193
MD5:4c67eb7b3f4ea88e5e5487ade487de3f
SHA1:d118ae4beef890783251d53f3f7fe5e6c9a65a10
SHA256:db433304c3e22d8222cfe510e8548515c9dccfc9f080f94efc67aa11f44a6b3f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Antivirus or Machine Learning detection for unpacked file
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • dhcpmon.exe (PID: 1020 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)
    • dhcpmon.exe (PID: 6228 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2ee5:$a: NanoCore
    • 0x2f3e:$a: NanoCore
    • 0x2f7b:$a: NanoCore
    • 0x2ff4:$a: NanoCore
    • 0x1669f:$a: NanoCore
    • 0x166b4:$a: NanoCore
    • 0x166e9:$a: NanoCore
    • 0x2f173:$a: NanoCore
    • 0x2f188:$a: NanoCore
    • 0x2f1bd:$a: NanoCore
    • 0x2f47:$b: ClientPlugin
    • 0x2f84:$b: ClientPlugin
    • 0x3882:$b: ClientPlugin
    • 0x388f:$b: ClientPlugin
    • 0x1645b:$b: ClientPlugin
    • 0x16476:$b: ClientPlugin
    • 0x164a6:$b: ClientPlugin
    • 0x166bd:$b: ClientPlugin
    • 0x166f2:$b: ClientPlugin
    • 0x2ef2f:$b: ClientPlugin
    • 0x2ef4a:$b: ClientPlugin
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe, ProcessId: 5800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 26%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Invoice# 77-83992-8297382 (2).exeReversingLabs: Detection: 26%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then jmp 016AEB76h0_2_016AE3B0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then mov esp, ebp0_2_016A8DC0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then jmp 016AEB76h0_2_016AE3A0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then mov esp, ebp0_2_016A8DB1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 00DBEB76h4_2_00DBE3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov esp, ebp4_2_00DB8DC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov esp, ebp4_2_00DB8DB1
        Source: global trafficTCP traffic: 192.168.2.3:49712 -> 194.5.97.173:10004
        Source: unknownDNS traffic detected: queries for: 1.ispnano.dns-cloud.net
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000003.233824722.0000000001326000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.c
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240339078.00000000016E9000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Invoice# 77-83992-8297382 (2).exe
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E2FE8 CreateProcessAsUserW,0_2_0F2E2FE8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AB1800_2_016AB180
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AEBA00_2_016AEBA0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AE3B00_2_016AE3B0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A9A500_2_016A9A50
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A04480_2_016A0448
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016ACC400_2_016ACC40
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A6C100_2_016A6C10
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A34F80_2_016A34F8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A8F580_2_016A8F58
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AB1700_2_016AB170
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AE3A00_2_016AE3A0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AEB900_2_016AEB90
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A9A3F0_2_016A9A3F
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016ACC300_2_016ACC30
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A8F4A0_2_016A8F4A
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AF6480_2_016AF648
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E47480_2_0F2E4748
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E1EA80_2_0F2E1EA8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E00400_2_0F2E0040
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E47380_2_0F2E4738
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E53680_2_0F2E5368
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E16200_2_0F2E1620
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E1E9D0_2_0F2E1E9D
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E29300_2_0F2E2930
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E11A80_2_0F2E11A8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E35F00_2_0F2E35F0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0E4801_2_02F0E480
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0E4711_2_02F0E471
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0BBD41_2_02F0BBD4
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_066B00401_2_066B0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBB1704_2_00DBB170
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB9A3F4_2_00DB9A3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBEBA04_2_00DBEBA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBE3A04_2_00DBE3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB34F84_2_00DB34F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB04484_2_00DB0448
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB3C604_2_00DB3C60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB6C104_2_00DB6C10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBCC304_2_00DBCC30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB8F4A4_2_00DB8F4A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBEB904_2_00DBEB90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB04274_2_00DB0427
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBF6584_2_00DBF658
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9947484_2_0E994748
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E991F604_2_0E991F60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9900404_2_0E990040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9916204_2_0E991620
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9947384_2_0E994738
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E991F514_2_0E991F51
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9953684_2_0E995368
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9911A84_2_0E9911A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9929A84_2_0E9929A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9935F04_2_0E9935F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126E4717_2_0126E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126E4807_2_0126E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126BBD47_2_0126BBD4
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.245504993.0000000005830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000000.220656885.0000000000D02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240375788.0000000002FB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621320469.0000000006200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000003.243082118.00000000014BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615231415.000000000144A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exeBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@39/2
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-83992-8297382 (2).exe.logJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e1e01d8e-d2ec-4c98-af39-dda666441e66}
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Invoice# 77-83992-8297382 (2).exeReversingLabs: Detection: 26%
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile read: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe 'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeWindow / User API: threadDelayed 5388Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeWindow / User API: threadDelayed 3964Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeWindow / User API: foregroundWindowGot 1343Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeWindow / User API: foregroundWindowGot 467Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4740Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4812Thread sleep count: 138 > 30Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 5288Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 5676Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe TID: 4112Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4092Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212Thread sleep count: 79 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212Thread sleep count: 99 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5624Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmware svga
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmusrvc
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmsrvc
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmtools
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615434525.00000000014CE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeMemory written: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621511799.000000000643C000.00000004.00000001.sdmpBinary or memory string: Program Manager(
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.622192424.000000000716D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.618572960.0000000003491000.00000004.00000001.sdmpBinary or memory string: Program Manager0
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.616498522.0000000003123000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615771156.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621726909.00000000067FD000.00000004.00000001.sdmpBinary or memory string: Program Manager(pI
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Masquerading2Input Capture11Security Software Discovery11Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Valid Accounts1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDisable or Modify Tools1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection112Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDeobfuscate/Decode Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Obfuscated Files or Information1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Software Packing11Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Invoice# 77-83992-8297382 (2).exe26%ReversingLabsWin32.Trojan.Bulz

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe26%ReversingLabsWin32.Trojan.Bulz

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://go.microsoft.c0%Avira URL Cloudsafe
        http://ns.ado/Ident0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        1.ispnano.dns-cloud.net
        		194.5.97.173
        		truefalse
          		unknown
          g.msn.com
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://go.microsoft.cInvoice# 77-83992-8297382 (2).exe, 00000000.00000003.233824722.0000000001326000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://ns.ado/IdentInvoice# 77-83992-8297382 (2).exe, 00000000.00000002.240339078.00000000016E9000.00000004.00000040.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            194.5.97.173
            		unknownNetherlands
            		208476DANILENKODEfalse

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:339193
            Start date:13.01.2021
            Start time:17:08:28
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 56s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:Invoice# 77-83992-8297382 (2).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/5@39/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 0.5% (good quality ratio 0.5%)
            • Quality average: 76.8%
            • Quality standard deviation: 17.2%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 102
            • Number of non-executed functions: 7
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.210.248.85, 51.104.146.109, 92.122.213.194, 92.122.213.247, 52.147.198.201, 52.255.188.83, 2.20.142.210, 2.20.142.209, 51.103.5.159, 20.54.26.129, 52.142.114.176, 51.11.168.160, 52.155.217.156
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339193/sample/Invoice# 77-83992-8297382 (2).exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:09:35API Interceptor1468x Sleep call for process: Invoice# 77-83992-8297382 (2).exe modified
            17:09:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            194.5.97.173Invoice #756-77988-23989646.exeGet hashmaliciousBrowse
              shipping order.exeGet hashmaliciousBrowse
                shipping order#.exeGet hashmaliciousBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  1.ispnano.dns-cloud.netshipping order.exeGet hashmaliciousBrowse
                  • 194.5.97.173
                  shipping order#.exeGet hashmaliciousBrowse
                  • 194.5.97.173

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DANILENKODEPO-Scan-Documents00012910993993.exeGet hashmaliciousBrowse
                  • 194.5.97.155
                  Wjhus order 13.1.2021.exeGet hashmaliciousBrowse
                  • 194.5.98.176
                  Invoice #756-77988-23989646.exeGet hashmaliciousBrowse
                  • 194.5.97.173
                  Quotation.exeGet hashmaliciousBrowse
                  • 194.5.98.200
                  December SOA.exeGet hashmaliciousBrowse
                  • 194.5.97.66
                  IMG-001GE-0HUE48E-001012-001.exeGet hashmaliciousBrowse
                  • 194.5.97.155
                  shipping order.exeGet hashmaliciousBrowse
                  • 194.5.97.173
                  shipping order#.exeGet hashmaliciousBrowse
                  • 194.5.97.173
                  BL,IN&PL.exeGet hashmaliciousBrowse
                  • 194.5.97.206
                  New PO.exeGet hashmaliciousBrowse
                  • 194.5.98.32
                  Order Inquiry.exeGet hashmaliciousBrowse
                  • 194.5.97.235
                  IMG 01-06-2021 93899283.exeGet hashmaliciousBrowse
                  • 194.5.97.177
                  SWIFT345343445pdf.exeGet hashmaliciousBrowse
                  • 194.5.97.164
                  DHL1.exeGet hashmaliciousBrowse
                  • 194.5.98.145
                  Original BL_pdf.exeGet hashmaliciousBrowse
                  • 194.5.97.107
                  AWB & CI_pdf.exeGet hashmaliciousBrowse
                  • 194.5.97.107
                  File.exeGet hashmaliciousBrowse
                  • 194.5.98.108
                  New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                  • 194.5.98.215
                  Shiping Doc BL.exeGet hashmaliciousBrowse
                  • 194.5.98.157
                  Shiping Doc BL.exeGet hashmaliciousBrowse
                  • 194.5.98.157

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Process:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):849920
                  Entropy (8bit):5.429435248347001
                  Encrypted:false
                  SSDEEP:12288:L0Fi3dg/zDNj6udDKlNCyPhf223d9ZSn9Vb:oi3dg/PNj/KlRbZSnb
                  MD5:4C67EB7B3F4EA88E5E5487ADE487DE3F
                  SHA1:D118AE4BEEF890783251D53F3F7FE5E6C9A65A10
                  SHA-256:DB433304C3E22D8222CFE510E8548515C9DCCFC9F080F94EFC67AA11F44A6B3F
                  SHA-512:37609EA4261FE4DADF403A05014DB11DEFAE9A65CEF8C5639A56166A379B1151EE48100F6726D8160AEFAD9C49EA6A5430E17526B87A41DC2366E6C23CE4759C
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 26%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7..............P.................. ... ....@.. .......................`............`.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........<*......Z....E.............................................&..(.....*.s.........s.........s.........s ........*&........*".......*Vs ...(3...t.........*..(4...*..(....*N. ..........(-....*V....(E........(2....*^.~....(b........(8....*v.~....~.....(C........(<....*.....(R....*^......(F...t....o`....*..(G...*....0..d.............0.............0.............0............(!...t0..........0.......\............0.......-0.+..(!...t....&..........-...&................+?.
                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview: [ZoneTransfer]....ZoneId=0
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-83992-8297382 (2).exe.log
                  Process:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1451
                  Entropy (8bit):5.345862727722058
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                  MD5:06F54CDBFEF62849AF5AE052722BD7B6
                  SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                  SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                  SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1451
                  Entropy (8bit):5.345862727722058
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                  MD5:06F54CDBFEF62849AF5AE052722BD7B6
                  SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                  SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                  SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                  Process:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:aYl:aQ
                  MD5:49CFF363A29F80058C2F4C57C1021A70
                  SHA1:A498CB7524C13C67F39E088417AEE9193645F6F0
                  SHA-256:04941065834332F29ECCFACA73DD5BFA47DE6B7628E23F45C50EB229893210AD
                  SHA-512:0E2FB71980BA615F463FB5FF6C6CCA2893912B0219F4B0497AA19A6D856155DAD0D3C5DC5B7808EEAE9545791C2656B633B978F583DA6E2AC2B1BCA331976CC6
                  Malicious:true
                  Reputation:low
                  Preview: .}..)..H

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.429435248347001
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:Invoice# 77-83992-8297382 (2).exe
                  File size:849920
                  MD5:4c67eb7b3f4ea88e5e5487ade487de3f
                  SHA1:d118ae4beef890783251d53f3f7fe5e6c9a65a10
                  SHA256:db433304c3e22d8222cfe510e8548515c9dccfc9f080f94efc67aa11f44a6b3f
                  SHA512:37609ea4261fe4dadf403a05014db11defae9a65cef8c5639a56166a379b1151ee48100f6726d8160aefad9c49ea6a5430e17526b87a41dc2366e6c23ce4759c
                  SSDEEP:12288:L0Fi3dg/zDNj6udDKlNCyPhf223d9ZSn9Vb:oi3dg/PNj/KlRbZSnb
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......7..............P.................. ... ....@.. .......................`............`................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4d0c1e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Time Stamp:0x37DD8418 [Mon Sep 13 23:09:12 1999 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0bcc0x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x596.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xcec240xcee00False0.490468041918data5.43331937316IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xd20000x5960x600False0.413411458333data4.05390274957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xd40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xd20a00x30cdata
                  RT_MANIFEST0xd23ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright 2021
                  Assembly Version1.0.0.0
                  InternalNameStub52.exe
                  FileVersion1.0.0.0
                  CompanyName
                  LegalTrademarks
                  Comments
                  ProductNameStub52
                  ProductVersion1.0.0.0
                  FileDescriptionStub52
                  OriginalFilenameStub52.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 13, 2021 17:09:36.716850042 CET4971210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:36.768384933 CET1000449712194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:37.277143955 CET4971210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:37.326282978 CET1000449712194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:37.839719057 CET4971210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:37.889018059 CET1000449712194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:43.399245024 CET4971310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:43.448784113 CET1000449713194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:44.027650118 CET4971310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:44.077121973 CET1000449713194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:44.637187958 CET4971310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:44.686736107 CET1000449713194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:48.800421953 CET4971710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:48.849715948 CET1000449717194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:49.528851986 CET4971710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:49.578217983 CET1000449717194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:50.137547016 CET4971710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:50.186742067 CET1000449717194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:54.329802036 CET4972010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:54.379086018 CET1000449720194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:55.028629065 CET4972010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:55.077912092 CET1000449720194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:55.638024092 CET4972010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:55.688035011 CET1000449720194.5.97.173192.168.2.3
                  Jan 13, 2021 17:09:59.924818993 CET4972410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:09:59.974153042 CET1000449724194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:00.540069103 CET4972410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:00.589448929 CET1000449724194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:01.138472080 CET4972410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:01.254395962 CET1000449724194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:05.364154100 CET4972810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:05.414776087 CET1000449728194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:05.928263903 CET4972810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:05.977524996 CET1000449728194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:06.530002117 CET4972810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:06.579221010 CET1000449728194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:10.730393887 CET4973810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:10.779676914 CET1000449738194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:11.279241085 CET4973810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:11.328452110 CET1000449738194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:11.983228922 CET4973810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:12.033037901 CET1000449738194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:16.135730982 CET4974910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:16.184935093 CET1000449749194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:16.686604023 CET4974910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:16.735814095 CET1000449749194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:17.374187946 CET4974910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:17.423360109 CET1000449749194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:21.603288889 CET4975010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:21.652797937 CET1000449750194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:22.187079906 CET4975010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:22.236682892 CET1000449750194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:22.780889988 CET4975010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:22.833842993 CET1000449750194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:26.931889057 CET4975310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:26.981302977 CET1000449753194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:27.484529018 CET4975310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:27.533932924 CET1000449753194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:28.046943903 CET4975310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:28.096316099 CET1000449753194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:32.224612951 CET4975410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:32.274112940 CET1000449754194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:32.781811953 CET4975410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:32.831726074 CET1000449754194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:33.344243050 CET4975410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:33.393853903 CET1000449754194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:37.569816113 CET4975510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:37.619103909 CET1000449755194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:38.125946045 CET4975510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:38.175285101 CET1000449755194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:38.688491106 CET4975510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:38.737788916 CET1000449755194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:42.835010052 CET4975610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:42.884427071 CET1000449756194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:43.392069101 CET4975610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:43.460846901 CET1000449756194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:43.970176935 CET4975610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:44.019666910 CET1000449756194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:48.126225948 CET4975710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:48.175662994 CET1000449757194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:48.689410925 CET4975710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:48.738691092 CET1000449757194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:49.252041101 CET4975710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:49.301299095 CET1000449757194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:53.429653883 CET4975810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:53.479063034 CET1000449758194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:53.989485025 CET4975810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:54.038609982 CET1000449758194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:54.549243927 CET4975810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:54.598433971 CET1000449758194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:58.731355906 CET4975910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:58.780493975 CET1000449759194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:59.284090042 CET4975910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:59.333575010 CET1000449759194.5.97.173192.168.2.3
                  Jan 13, 2021 17:10:59.846481085 CET4975910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:10:59.895761967 CET1000449759194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:04.107656002 CET4976010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:04.157145023 CET1000449760194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:04.659398079 CET4976010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:04.709103107 CET1000449760194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:05.221992016 CET4976010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:05.271406889 CET1000449760194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:11.270730019 CET4976110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:11.319988012 CET1000449761194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:11.831831932 CET4976110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:11.881004095 CET1000449761194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:12.394362926 CET4976110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:12.444956064 CET1000449761194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:16.628418922 CET4976410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:16.677779913 CET1000449764194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:17.191637039 CET4976410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:17.241030931 CET1000449764194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:17.754206896 CET4976410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:17.803564072 CET1000449764194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:21.934524059 CET4976510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:21.987149000 CET1000449765194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:22.489048958 CET4976510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:22.538125038 CET1000449765194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:23.051522970 CET4976510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:23.100675106 CET1000449765194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:27.202641010 CET4976610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:27.251967907 CET1000449766194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:27.755142927 CET4976610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:27.804662943 CET1000449766194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:28.317595005 CET4976610004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:28.366888046 CET1000449766194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:32.506751060 CET4976710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:32.555866957 CET1000449767194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:33.068326950 CET4976710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:33.117489100 CET1000449767194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:33.630503893 CET4976710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:33.679714918 CET1000449767194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:37.886945009 CET4976810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:37.936693907 CET1000449768194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:38.443414927 CET4976810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:38.492921114 CET1000449768194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:39.005964041 CET4976810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:39.056788921 CET1000449768194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:43.157021046 CET4976910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:43.206331015 CET1000449769194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:43.709722996 CET4976910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:43.758857965 CET1000449769194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:44.272111893 CET4976910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:44.321363926 CET1000449769194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:48.536966085 CET4977210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:48.586213112 CET1000449772194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:49.100599051 CET4977210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:49.150079012 CET1000449772194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:49.663084984 CET4977210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:49.712935925 CET1000449772194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:53.847565889 CET4977310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:53.896764994 CET1000449773194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:54.397891998 CET4977310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:54.447297096 CET1000449773194.5.97.173192.168.2.3
                  Jan 13, 2021 17:11:54.960439920 CET4977310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:11:55.009988070 CET1000449773194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:01.266836882 CET4977410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:01.316265106 CET1000449774194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:01.915467024 CET4977410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:01.964806080 CET1000449774194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:02.523214102 CET4977410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:02.572539091 CET1000449774194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:06.670568943 CET4977710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:06.720004082 CET1000449777194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:07.228813887 CET4977710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:07.278978109 CET1000449777194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:07.815005064 CET4977710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:07.864326954 CET1000449777194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:11.970531940 CET4978310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:12.019689083 CET1000449783194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:12.530124903 CET4978310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:12.579417944 CET1000449783194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:13.217650890 CET4978310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:13.267040968 CET1000449783194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:17.381640911 CET4978710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:17.430819988 CET1000449787194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:17.936811924 CET4978710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:17.985955000 CET1000449787194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:18.499368906 CET4978710004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:18.548578978 CET1000449787194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:22.706068993 CET4978810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:22.755253077 CET1000449788194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:23.265444040 CET4978810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:23.314702034 CET1000449788194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:23.828996897 CET4978810004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:23.878385067 CET1000449788194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:28.031662941 CET4978910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:28.080996037 CET1000449789194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:28.593987942 CET4978910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:28.643279076 CET1000449789194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:29.156528950 CET4978910004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:29.205878973 CET1000449789194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:33.278913975 CET4979010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:33.328360081 CET1000449790194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:33.828773022 CET4979010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:33.878405094 CET1000449790194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:34.391370058 CET4979010004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:34.440861940 CET1000449790194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:38.513010025 CET4979110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:38.562539101 CET1000449791194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:39.063642979 CET4979110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:39.113276958 CET1000449791194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:39.626152039 CET4979110004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:39.675518036 CET1000449791194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:43.747081995 CET4979210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:43.797219038 CET1000449792194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:44.298511982 CET4979210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:44.347872972 CET1000449792194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:44.861104965 CET4979210004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:44.911178112 CET1000449792194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:48.984991074 CET4979310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:49.034157038 CET1000449793194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:49.548923016 CET4979310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:49.598165035 CET1000449793194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:50.111371040 CET4979310004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:50.160742998 CET1000449793194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:54.235516071 CET4979410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:54.284753084 CET1000449794194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:54.799325943 CET4979410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:54.848685980 CET1000449794194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:55.361808062 CET4979410004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:55.413533926 CET1000449794194.5.97.173192.168.2.3
                  Jan 13, 2021 17:12:59.485568047 CET4979510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:12:59.537291050 CET1000449795194.5.97.173192.168.2.3
                  Jan 13, 2021 17:13:00.049704075 CET4979510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:13:00.098994970 CET1000449795194.5.97.173192.168.2.3
                  Jan 13, 2021 17:13:00.612215042 CET4979510004192.168.2.3194.5.97.173
                  Jan 13, 2021 17:13:00.661590099 CET1000449795194.5.97.173192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 13, 2021 17:09:28.497873068 CET5754453192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:28.545753002 CET53575448.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:30.097846985 CET5598453192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:30.148536921 CET53559848.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:36.633502007 CET6418553192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:36.703766108 CET53641858.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:43.339847088 CET6511053192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:43.396136045 CET53651108.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:47.129807949 CET5836153192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:47.187757015 CET53583618.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:48.737692118 CET6349253192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:48.799089909 CET53634928.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:49.170738935 CET6083153192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:49.221443892 CET53608318.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:54.257950068 CET6010053192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:54.327219009 CET53601008.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:57.605323076 CET5319553192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:57.665364027 CET53531958.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:58.054920912 CET5014153192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:58.105823994 CET53501418.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:58.906404972 CET5302353192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:58.954344034 CET53530238.8.8.8192.168.2.3
                  Jan 13, 2021 17:09:59.875073910 CET4956353192.168.2.38.8.8.8
                  Jan 13, 2021 17:09:59.922853947 CET53495638.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:01.104103088 CET5135253192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:01.154850006 CET53513528.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:04.195559025 CET5934953192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:04.251647949 CET53593498.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:05.037314892 CET5708453192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:05.085202932 CET53570848.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:05.305628061 CET5882353192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:05.362389088 CET53588238.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:05.939368010 CET5756853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:05.987246990 CET53575688.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:06.753321886 CET5054053192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:06.804006100 CET53505408.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:07.158162117 CET5436653192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:07.216087103 CET53543668.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:07.363090038 CET5303453192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:07.420190096 CET53530348.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:07.619266987 CET5776253192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:07.667121887 CET53577628.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:08.528155088 CET5543553192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:08.578916073 CET53554358.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:08.703545094 CET5071353192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:08.762765884 CET53507138.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:09.439726114 CET5613253192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:09.490441084 CET53561328.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:10.292624950 CET5898753192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:10.340560913 CET53589878.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:10.680809975 CET5657953192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:10.728758097 CET53565798.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:11.144009113 CET6063353192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:11.191858053 CET53606338.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:11.978118896 CET6129253192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:12.027245045 CET53612928.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:13.100095987 CET6361953192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:13.147995949 CET53636198.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:13.912931919 CET6493853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:13.960949898 CET53649388.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:14.609074116 CET6194653192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:14.669406891 CET53619468.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:14.829952002 CET6491053192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:14.877903938 CET53649108.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:16.075653076 CET5212353192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:16.134773016 CET53521238.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:21.541862011 CET5613053192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:21.602304935 CET53561308.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:23.246170044 CET5633853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:23.294035912 CET53563388.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:26.182544947 CET5942053192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:26.246912003 CET53594208.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:26.873873949 CET5878453192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:26.930425882 CET53587848.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:32.166691065 CET6397853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:32.223047972 CET53639788.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:37.515794039 CET6293853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:37.566517115 CET53629388.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:42.785608053 CET5570853192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:42.833533049 CET53557088.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:48.068613052 CET5680353192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:48.124769926 CET53568038.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:53.342681885 CET5714553192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:53.399116993 CET53571458.8.8.8192.168.2.3
                  Jan 13, 2021 17:10:58.670852900 CET5535953192.168.2.38.8.8.8
                  Jan 13, 2021 17:10:58.729885101 CET53553598.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:04.047702074 CET5830653192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:04.105832100 CET53583068.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:11.220237970 CET6412453192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:11.268183947 CET53641248.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:12.391298056 CET4936153192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:12.441092014 CET53493618.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:16.535574913 CET6315053192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:16.591797113 CET53631508.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:21.867281914 CET5327953192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:21.917999029 CET53532798.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:27.144418955 CET5688153192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:27.200948954 CET53568818.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:32.449100018 CET5364253192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:32.505148888 CET53536428.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:37.825323105 CET5566753192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:37.884396076 CET53556678.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:43.098982096 CET5483353192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:43.155555964 CET53548338.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:47.840683937 CET6247653192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:47.889309883 CET53624768.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:48.292572975 CET4970553192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:48.363360882 CET53497058.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:48.474570036 CET6147753192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:48.533888102 CET53614778.8.8.8192.168.2.3
                  Jan 13, 2021 17:11:53.790071011 CET6163353192.168.2.38.8.8.8
                  Jan 13, 2021 17:11:53.846435070 CET53616338.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:01.194253922 CET5594953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:01.253833055 CET53559498.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:05.255992889 CET5760153192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:05.306658983 CET53576018.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:06.062604904 CET4934253192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:06.135001898 CET53493428.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:06.609291077 CET5625353192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:06.668634892 CET53562538.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:07.035053015 CET4966753192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:07.091231108 CET53496678.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:07.822472095 CET5543953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:07.878669977 CET53554398.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:08.999607086 CET5706953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:09.071839094 CET53570698.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:09.929860115 CET5765953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:09.986413956 CET53576598.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:11.465353012 CET5471753192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:11.513204098 CET53547178.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:11.913475037 CET6397553192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:11.969543934 CET53639758.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:13.596380949 CET5663953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:13.655941963 CET53566398.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:14.919383049 CET5185653192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:14.975591898 CET53518568.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:16.517098904 CET5654653192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:16.576900005 CET53565468.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:17.317095041 CET6215253192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:17.379125118 CET53621528.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:22.594510078 CET5347053192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:22.650772095 CET53534708.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:27.921185970 CET5644653192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:27.977909088 CET53564468.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:33.220309019 CET5963153192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:33.277091980 CET53596318.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:38.455576897 CET5551553192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:38.512006044 CET53555158.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:43.689896107 CET6454753192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:43.746169090 CET53645478.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:48.924525023 CET5175953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:48.984445095 CET53517598.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:54.175184011 CET5920753192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:54.234867096 CET53592078.8.8.8192.168.2.3
                  Jan 13, 2021 17:12:59.425617933 CET5426953192.168.2.38.8.8.8
                  Jan 13, 2021 17:12:59.484936953 CET53542698.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 13, 2021 17:09:36.633502007 CET192.168.2.38.8.8.80x8d2bStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:43.339847088 CET192.168.2.38.8.8.80xb451Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:48.737692118 CET192.168.2.38.8.8.80x9a1dStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:54.257950068 CET192.168.2.38.8.8.80xa401Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:59.875073910 CET192.168.2.38.8.8.80x4d12Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:05.305628061 CET192.168.2.38.8.8.80x31b8Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:10.680809975 CET192.168.2.38.8.8.80x731bStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:16.075653076 CET192.168.2.38.8.8.80xdb7cStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:21.541862011 CET192.168.2.38.8.8.80xed52Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:26.182544947 CET192.168.2.38.8.8.80xd7bdStandard query (0)g.msn.comA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:26.873873949 CET192.168.2.38.8.8.80xeabStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:32.166691065 CET192.168.2.38.8.8.80x24d2Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:37.515794039 CET192.168.2.38.8.8.80x9f9dStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:42.785608053 CET192.168.2.38.8.8.80xe9b8Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:48.068613052 CET192.168.2.38.8.8.80xc501Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:53.342681885 CET192.168.2.38.8.8.80xbadaStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:58.670852900 CET192.168.2.38.8.8.80x9107Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:04.047702074 CET192.168.2.38.8.8.80x1e09Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:11.220237970 CET192.168.2.38.8.8.80x395eStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:16.535574913 CET192.168.2.38.8.8.80x252cStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:21.867281914 CET192.168.2.38.8.8.80xb9bcStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:27.144418955 CET192.168.2.38.8.8.80xdab8Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:32.449100018 CET192.168.2.38.8.8.80x8966Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:37.825323105 CET192.168.2.38.8.8.80x63a5Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:43.098982096 CET192.168.2.38.8.8.80x10f8Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:48.474570036 CET192.168.2.38.8.8.80x6fc2Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:53.790071011 CET192.168.2.38.8.8.80x5cd2Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:01.194253922 CET192.168.2.38.8.8.80x25c7Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:06.609291077 CET192.168.2.38.8.8.80x264fStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:11.913475037 CET192.168.2.38.8.8.80x1e99Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:17.317095041 CET192.168.2.38.8.8.80x7030Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:22.594510078 CET192.168.2.38.8.8.80x8006Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:27.921185970 CET192.168.2.38.8.8.80xb879Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:33.220309019 CET192.168.2.38.8.8.80xf2bbStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:38.455576897 CET192.168.2.38.8.8.80x6341Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:43.689896107 CET192.168.2.38.8.8.80xc6afStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:48.924525023 CET192.168.2.38.8.8.80xf39fStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:54.175184011 CET192.168.2.38.8.8.80xf665Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:59.425617933 CET192.168.2.38.8.8.80x7a69Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jan 13, 2021 17:09:36.703766108 CET8.8.8.8192.168.2.30x8d2bNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:36.703766108 CET8.8.8.8192.168.2.30x8d2bNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:43.396136045 CET8.8.8.8192.168.2.30xb451No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:43.396136045 CET8.8.8.8192.168.2.30xb451No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:48.799089909 CET8.8.8.8192.168.2.30x9a1dNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:48.799089909 CET8.8.8.8192.168.2.30x9a1dNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:54.327219009 CET8.8.8.8192.168.2.30xa401No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:54.327219009 CET8.8.8.8192.168.2.30xa401No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:59.922853947 CET8.8.8.8192.168.2.30x4d12No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:09:59.922853947 CET8.8.8.8192.168.2.30x4d12No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:05.362389088 CET8.8.8.8192.168.2.30x31b8No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:05.362389088 CET8.8.8.8192.168.2.30x31b8No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:10.728758097 CET8.8.8.8192.168.2.30x731bNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:10.728758097 CET8.8.8.8192.168.2.30x731bNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:16.134773016 CET8.8.8.8192.168.2.30xdb7cNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:16.134773016 CET8.8.8.8192.168.2.30xdb7cNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:21.602304935 CET8.8.8.8192.168.2.30xed52No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:21.602304935 CET8.8.8.8192.168.2.30xed52No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:26.246912003 CET8.8.8.8192.168.2.30xd7bdNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                  Jan 13, 2021 17:10:26.930425882 CET8.8.8.8192.168.2.30xeabNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:26.930425882 CET8.8.8.8192.168.2.30xeabNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:32.223047972 CET8.8.8.8192.168.2.30x24d2No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:32.223047972 CET8.8.8.8192.168.2.30x24d2No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:37.566517115 CET8.8.8.8192.168.2.30x9f9dNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:37.566517115 CET8.8.8.8192.168.2.30x9f9dNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:42.833533049 CET8.8.8.8192.168.2.30xe9b8No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:42.833533049 CET8.8.8.8192.168.2.30xe9b8No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:48.124769926 CET8.8.8.8192.168.2.30xc501No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:48.124769926 CET8.8.8.8192.168.2.30xc501No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:53.399116993 CET8.8.8.8192.168.2.30xbadaNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:53.399116993 CET8.8.8.8192.168.2.30xbadaNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:58.729885101 CET8.8.8.8192.168.2.30x9107No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:10:58.729885101 CET8.8.8.8192.168.2.30x9107No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:04.105832100 CET8.8.8.8192.168.2.30x1e09No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:04.105832100 CET8.8.8.8192.168.2.30x1e09No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:11.268183947 CET8.8.8.8192.168.2.30x395eNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:11.268183947 CET8.8.8.8192.168.2.30x395eNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:16.591797113 CET8.8.8.8192.168.2.30x252cNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:16.591797113 CET8.8.8.8192.168.2.30x252cNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:21.917999029 CET8.8.8.8192.168.2.30xb9bcNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:21.917999029 CET8.8.8.8192.168.2.30xb9bcNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:27.200948954 CET8.8.8.8192.168.2.30xdab8No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:27.200948954 CET8.8.8.8192.168.2.30xdab8No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:32.505148888 CET8.8.8.8192.168.2.30x8966No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:32.505148888 CET8.8.8.8192.168.2.30x8966No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:37.884396076 CET8.8.8.8192.168.2.30x63a5No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:37.884396076 CET8.8.8.8192.168.2.30x63a5No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:43.155555964 CET8.8.8.8192.168.2.30x10f8No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:43.155555964 CET8.8.8.8192.168.2.30x10f8No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:48.533888102 CET8.8.8.8192.168.2.30x6fc2No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:48.533888102 CET8.8.8.8192.168.2.30x6fc2No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:53.846435070 CET8.8.8.8192.168.2.30x5cd2No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:11:53.846435070 CET8.8.8.8192.168.2.30x5cd2No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:01.253833055 CET8.8.8.8192.168.2.30x25c7No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:01.253833055 CET8.8.8.8192.168.2.30x25c7No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:06.668634892 CET8.8.8.8192.168.2.30x264fNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:06.668634892 CET8.8.8.8192.168.2.30x264fNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:11.969543934 CET8.8.8.8192.168.2.30x1e99No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:11.969543934 CET8.8.8.8192.168.2.30x1e99No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:17.379125118 CET8.8.8.8192.168.2.30x7030No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:17.379125118 CET8.8.8.8192.168.2.30x7030No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:22.650772095 CET8.8.8.8192.168.2.30x8006No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:22.650772095 CET8.8.8.8192.168.2.30x8006No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:27.977909088 CET8.8.8.8192.168.2.30xb879No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:27.977909088 CET8.8.8.8192.168.2.30xb879No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:33.277091980 CET8.8.8.8192.168.2.30xf2bbNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:33.277091980 CET8.8.8.8192.168.2.30xf2bbNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:38.512006044 CET8.8.8.8192.168.2.30x6341No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:38.512006044 CET8.8.8.8192.168.2.30x6341No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:43.746169090 CET8.8.8.8192.168.2.30xc6afNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:43.746169090 CET8.8.8.8192.168.2.30xc6afNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:48.984445095 CET8.8.8.8192.168.2.30xf39fNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:48.984445095 CET8.8.8.8192.168.2.30xf39fNo error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:54.234867096 CET8.8.8.8192.168.2.30xf665No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:54.234867096 CET8.8.8.8192.168.2.30xf665No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:59.484936953 CET8.8.8.8192.168.2.30x7a69No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                  Jan 13, 2021 17:12:59.484936953 CET8.8.8.8192.168.2.30x7a69No error (0)1.ispnano.dns-cloud.net23.105.131.188A (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: Invoice# 77-83992-8297382 (2).exe PID: 4120 Parent PID: 5732

                  General

                  Start time:17:09:23
                  Start date:13/01/2021
                  Path:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe'
                  Imagebase:0xc30000
                  File size:849920 bytes
                  MD5 hash:4C67EB7B3F4EA88E5E5487ADE487DE3F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Reputation:low

                  Chronological Activities

                  Analysis Process: Invoice# 77-83992-8297382 (2).exe PID: 5800 Parent PID: 4120

                  General

                  Start time:17:09:29
                  Start date:13/01/2021
                  Path:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
                  Imagebase:0xca0000
                  File size:849920 bytes
                  MD5 hash:4C67EB7B3F4EA88E5E5487ADE487DE3F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, Author: Florian Roth
                  Reputation:low

                  Chronological Activities

                  Analysis Process: dhcpmon.exe PID: 1020 Parent PID: 3388

                  General

                  Start time:17:09:47
                  Start date:13/01/2021
                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                  Imagebase:0x420000
                  File size:849920 bytes
                  MD5 hash:4C67EB7B3F4EA88E5E5487ADE487DE3F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Antivirus matches:
                  • Detection: 26%, ReversingLabs
                  Reputation:low

                  Chronological Activities

                  Analysis Process: dhcpmon.exe PID: 6228 Parent PID: 1020

                  General

                  Start time:17:09:52
                  Start date:13/01/2021
                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Imagebase:0x810000
                  File size:849920 bytes
                  MD5 hash:4C67EB7B3F4EA88E5E5487ADE487DE3F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Reputation:low

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: Invoice# 77-83992-8297382 (2).exe PID: 4120 Parent PID: 5732 Invoice# 77-83992-8297382 (2).exeCOMMON

                    Executed Functions

                    Function 0F2E0040, Relevance: 6.0, Strings: 4, Instructions: 969COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: ($<$ntin$ntin
                    • API String ID: 0-2884023141
                    • Opcode ID: c48fce866e01594940ed3f165d2c9ee22ce1f12d63cbead0e307dfcbfa9e15df
                    • Instruction ID: 7d9c84531fb58576824d034394ff6745df4a09166a2cb84fc5709e449c8e90bc
                    • Opcode Fuzzy Hash: c48fce866e01594940ed3f165d2c9ee22ce1f12d63cbead0e307dfcbfa9e15df
                    • Instruction Fuzzy Hash: 0CA2C474E04219CFDB14CF99C981ADDBBB6BF89304F648199D508AB356DB70A982CF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016ACC40, Relevance: 4.7, Strings: 3, Instructions: 974COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID: <$ntin$ntinf
                    • API String ID: 544645111-1815388321
                    • Opcode ID: a0775577c76b8c01928a164e795173bf0de80f4b1f2f3e028090e81183397227
                    • Instruction ID: 95af476b77873a41ad0d64ec31e3e39c70a18c5f65417b2013292f86bea3d7af
                    • Opcode Fuzzy Hash: a0775577c76b8c01928a164e795173bf0de80f4b1f2f3e028090e81183397227
                    • Instruction Fuzzy Hash: 81A2C274E042198FDB14CF99C981ADDBBF2BF89304F6481A9D508AB755DB30AD82CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A34F8, Relevance: 4.6, Strings: 3, Instructions: 887COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D0l$D0l$D0l
                    • API String ID: 0-195073329
                    • Opcode ID: 8b9a776434f0518370e9e72a768bd553c1b4addbefccc4930c049570cd6c59c9
                    • Instruction ID: b1916e05deeeadf9089b7658e0ebbe5395d272d1a0fbb4f741431b272b59dae5
                    • Opcode Fuzzy Hash: 8b9a776434f0518370e9e72a768bd553c1b4addbefccc4930c049570cd6c59c9
                    • Instruction Fuzzy Hash: 30726B70A002199FDB14DFA9CC94AAEBBB6BF88304F558069E506EB395DB34DD41CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016ACC30, Relevance: 4.1, Strings: 3, Instructions: 309COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID: <$ntin$ntinf
                    • API String ID: 544645111-1815388321
                    • Opcode ID: e59857c4f3488e77878a983fd186a5dc7314426a05f14425edde291e8e1938aa
                    • Instruction ID: 78fc6149bd23496d385c441ee529b33cde848c1d4c184f20481cd73e98a5ec31
                    • Opcode Fuzzy Hash: e59857c4f3488e77878a983fd186a5dc7314426a05f14425edde291e8e1938aa
                    • Instruction Fuzzy Hash: 5CE183B5E006198FDB58CFAAC981ADEBBF6BF89300F14C0A9D508AB364DB345941CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8F58, Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <$@
                    • API String ID: 0-1426351568
                    • Opcode ID: 444c946f3314d62ff6ca71f856f3f69d0dcae9c5fa870084b056aed052400ba6
                    • Instruction ID: fff9b686f347e89e1fd9523e9cc89ebd696b97e45b631e13e9d431db0873045b
                    • Opcode Fuzzy Hash: 444c946f3314d62ff6ca71f856f3f69d0dcae9c5fa870084b056aed052400ba6
                    • Instruction Fuzzy Hash: B162AD74A01229CFDB64CFA9C984A9DFBF2BF48315F65C1A9D508AB211DB30AD81CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AE3B0, Relevance: 3.0, Strings: 2, Instructions: 451COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: #Hql^$3Hql^
                    • API String ID: 0-3529499044
                    • Opcode ID: 39894521cdf09c8327c5bd1525ad095d0a1e86f1c9dc2ac62654b7e5e72f56a0
                    • Instruction ID: 4dea0e733beee7dd1115c78189ffab060256d81eede68859b54fd9a85563ce21
                    • Opcode Fuzzy Hash: 39894521cdf09c8327c5bd1525ad095d0a1e86f1c9dc2ac62654b7e5e72f56a0
                    • Instruction Fuzzy Hash: B9220570E11228CFDB68DF65D8957EDBBB2BF49301F1094A9E50AA7390DB359A81CF10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AE3A0, Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: #Hql^$3Hql^
                    • API String ID: 0-3529499044
                    • Opcode ID: a8f17f58fa8756e042ce002e2edba26cca5027531abee1d56dda869926e1aa1c
                    • Instruction ID: 4f59c03971e64570afa0fbd1dbd44c5a795fa72a9d7124c42352e02e6ed9d902
                    • Opcode Fuzzy Hash: a8f17f58fa8756e042ce002e2edba26cca5027531abee1d56dda869926e1aa1c
                    • Instruction Fuzzy Hash: 7E22F574E11228CFDB68DF64D8957E9BBB2BB49301F1094A9E50AA7390DB359E81CF10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8F4A, Relevance: 2.9, Strings: 2, Instructions: 442COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <$@
                    • API String ID: 0-1426351568
                    • Opcode ID: 4fb831bed40022f903b0cfcc8983cd65cb7e07cbf980fa75e226b2b89c71e4c0
                    • Instruction ID: 934698aa2d9147774ebb9e97a05b34f6996668d64842de6a6100c89919b7a772
                    • Opcode Fuzzy Hash: 4fb831bed40022f903b0cfcc8983cd65cb7e07cbf980fa75e226b2b89c71e4c0
                    • Instruction Fuzzy Hash: 4822CE70901219CFEB64CFAAC984A99FBF2BF48709F65C1A9D508AB211DB30DD81DF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E2FE8, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0F2E31D4
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 9bcfa916ea28592121a5cf6258e14b2530a749ece781225564fd8356e05e99a8
                    • Instruction ID: 287f80510a84deb02897584bf20501bb875913adc486ea7cf1a5b10c1e3671cc
                    • Opcode Fuzzy Hash: 9bcfa916ea28592121a5cf6258e14b2530a749ece781225564fd8356e05e99a8
                    • Instruction Fuzzy Hash: C191EFB4D0422D8FCB24CFA5C880BDDBBB5AF19304F5590A9E549B7220DB74AE85CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A6C10, Relevance: .9, Instructions: 896COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35a6ebe1dac0ffc3125d961b04e2e03e5519ca7abaa2cebcef86914b70030258
                    • Instruction ID: 186ad48131cda911e4a9e3e00e81a3d4af1105bbd43b5877f16d9698d66aae82
                    • Opcode Fuzzy Hash: 35a6ebe1dac0ffc3125d961b04e2e03e5519ca7abaa2cebcef86914b70030258
                    • Instruction Fuzzy Hash: 55826B75A00219DFCB15CF68C884AAEBBF6BF48304F558569E5059B3A2DB32ED81CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E1EA8, Relevance: .6, Instructions: 580COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9fb61a72218fdb3017f3b62304be688cf8697c3fb7fd39a8913cd0d4a11e274a
                    • Instruction ID: a5634f1315faaac00ca2e358e7169590d571bda4bb92575df00387d3feb3378d
                    • Opcode Fuzzy Hash: 9fb61a72218fdb3017f3b62304be688cf8697c3fb7fd39a8913cd0d4a11e274a
                    • Instruction Fuzzy Hash: 0D52D074E00229CFDB64DFA8C984BDDBBF6EF48301F5481A9D409A7292DB349A85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E4748, Relevance: .5, Instructions: 516COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3bb17be832be45b52f9fc7524f42c6b5f763dda711373cf38c8b8b0ec6de8c2b
                    • Instruction ID: 8c42d754b323747f3f9fa7ba8192620d6dec3eb864bdbe591b7e905a2b249397
                    • Opcode Fuzzy Hash: 3bb17be832be45b52f9fc7524f42c6b5f763dda711373cf38c8b8b0ec6de8c2b
                    • Instruction Fuzzy Hash: EF22FA74E002288FDB58DFA9CC91BDDB7B5AF88314F5485A9D609AB342EB305E85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AB180, Relevance: .5, Instructions: 506COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e76373cdfe4af0c4bfd9747a080f45ed4eda01a5e21e0ba1b137558866736b14
                    • Instruction ID: 122eb9044e44eb349d9734a037074c29efe57b8455d5318bff90985d27000a4f
                    • Opcode Fuzzy Hash: e76373cdfe4af0c4bfd9747a080f45ed4eda01a5e21e0ba1b137558866736b14
                    • Instruction Fuzzy Hash: E9428F74E01229CFDB54CFA9C984B9DBBB2BF48310F5591A9E809A7355DB30AE81CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A50, Relevance: .5, Instructions: 501COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de56ad47279d3333e872e579530cd817e40252106a361e003f9a619c23f0f57d
                    • Instruction ID: 59e84e182c9133845e406eda59a1c563b53235163725b6c06ce6cb8052e20383
                    • Opcode Fuzzy Hash: de56ad47279d3333e872e579530cd817e40252106a361e003f9a619c23f0f57d
                    • Instruction Fuzzy Hash: 0632C170900219CFDB54DFA9C984A8EFBB6BF49319F65C599C508AB212CB30DD85CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E1E9D, Relevance: .5, Instructions: 479COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 452798cf82fb323447547c7fa5c50f1370a86ca8e4c4abc52950dca0953dce78
                    • Instruction ID: ab998170216e285a72aedb5653e4e17a2ee5867079030363f0ea16aa8c8d4edb
                    • Opcode Fuzzy Hash: 452798cf82fb323447547c7fa5c50f1370a86ca8e4c4abc52950dca0953dce78
                    • Instruction Fuzzy Hash: 5132CF74E00259CFDB24DFA8C984BDDBBF2AF49301F5481AAD449A7292DB349E85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AEBA0, Relevance: .3, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4fdb5b34c3aaa4b79688f5ad0b9e925d794eed0d347af45c6895b21673730a3
                    • Instruction ID: bdc218263e18a40fa09c19da9f19f9677350b3688c8f3b4d2db2496bf6093aa7
                    • Opcode Fuzzy Hash: b4fdb5b34c3aaa4b79688f5ad0b9e925d794eed0d347af45c6895b21673730a3
                    • Instruction Fuzzy Hash: 4BD1DD74E00218CFDB64EFA9D984B9DBBB2BF88304F1085AAD549A7355EB305E85CF11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AEB90, Relevance: .2, Instructions: 211COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 257c3e44c63e3cb04777fa326207cb6730f9ac8228891408c52e0b9a4c463b53
                    • Instruction ID: 9286de5847ed553e2b155af21370621b0aaec525da4ac07d3ca6a75657cda051
                    • Opcode Fuzzy Hash: 257c3e44c63e3cb04777fa326207cb6730f9ac8228891408c52e0b9a4c463b53
                    • Instruction Fuzzy Hash: 63A1E274E00618CFDB54EFA9D98479DBBB1FF88304F1084AAD449AB355EB305A99CF11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A0448, Relevance: .2, Instructions: 210COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 98614d5e7db9e3ea701f5cf4466cb53d4cbbf9ca96857fdc5d17d15d5c3680e0
                    • Instruction ID: 9ac3511b85a4b28c51d84fbf2a5236abc9d92dc96c1acb819eb8a2f7c1092744
                    • Opcode Fuzzy Hash: 98614d5e7db9e3ea701f5cf4466cb53d4cbbf9ca96857fdc5d17d15d5c3680e0
                    • Instruction Fuzzy Hash: FE91C474E00218CFDB14DFA9D980ADDFBB6BF88304F258469E509AB355EB34A946CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AB170, Relevance: .2, Instructions: 153COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f9d340c37920775ee9b010cd31db36c8801f32ad15fe9a1e33dd66fa107357b
                    • Instruction ID: 12ebb89c4989390a4333109ee317cdfe6b07aac5d62f26154e779789a4521739
                    • Opcode Fuzzy Hash: 9f9d340c37920775ee9b010cd31db36c8801f32ad15fe9a1e33dd66fa107357b
                    • Instruction Fuzzy Hash: 4361A575E01218CFDB18CFAAD985B9EBBB2BF88310F54D1A9E809A7354DB319941CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A3F, Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 492baaf528b58fae5cec1f343cb6a1593b236ba22a59d98691f965a0e91f906e
                    • Instruction ID: e7413f6b5b9b37d9c85db2e10d644db0c8ce2a2954e1e0c28fe1edf99f4360ef
                    • Opcode Fuzzy Hash: 492baaf528b58fae5cec1f343cb6a1593b236ba22a59d98691f965a0e91f906e
                    • Instruction Fuzzy Hash: 46510771E002198FDB58DF6AC8917DEBBF2AF89304F50C0AAD50DAB255EB305A858F51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8DB1, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 365e0dd44c731331b983d1c34c8e98aed0da9c28386ccfad8a24438944a5f10d
                    • Instruction ID: d39f16b7dff92564a4b52b7ced549e855dd6549c6276bfb825367c35686058d3
                    • Opcode Fuzzy Hash: 365e0dd44c731331b983d1c34c8e98aed0da9c28386ccfad8a24438944a5f10d
                    • Instruction Fuzzy Hash: 690148B5C00208DFDB01EFA9D8497AEBFB5FB05305F4095AAD505A32A4EB748A45DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8DC0, Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ec4b19fbd5532da148e7bff9ae3425563fe5b9bea3857a60aee9f8cfb61efd4
                    • Instruction ID: 80e2d6b6208d29f99c124b9e73d8b9dddcf686dc79c7b9d85471a04168953143
                    • Opcode Fuzzy Hash: 1ec4b19fbd5532da148e7bff9ae3425563fe5b9bea3857a60aee9f8cfb61efd4
                    • Instruction Fuzzy Hash: DE0128B4C00208DFDB01EFA9D8457AEBBF9FB05305F4085AAD505A32A4EB704A44DF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E5E35, Relevance: 2.1, APIs: 1, Instructions: 567injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0F2E628B
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 0439f1439004e6fca516632f112818adba00b7ca1c01e6843be8e2a046455779
                    • Instruction ID: 6a9bb655919b15f5cbdf9e6720a440523b563e5806e79e1efe94b0af72730746
                    • Opcode Fuzzy Hash: 0439f1439004e6fca516632f112818adba00b7ca1c01e6843be8e2a046455779
                    • Instruction Fuzzy Hash: A541BCB4D052489FCF01CFA9D984ADEBBB1BF4A314F64946AE814BB211D334AA45CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E5E15, Relevance: 2.0, APIs: 1, Instructions: 533COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: caae5c66d6737629b9c0cd2f3833b3f8e6252e727021113a453e53f1ead22fdb
                    • Instruction ID: 314a38401a16e81dc073e5e8c71fa2a3963d867dc0641803b7155a5cca04eced
                    • Opcode Fuzzy Hash: caae5c66d6737629b9c0cd2f3833b3f8e6252e727021113a453e53f1ead22fdb
                    • Instruction Fuzzy Hash: ED51DDB4D052889FCF01CFA9D890ADEBFF1BF4A314F24846AE455BB211D334A945CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E2FDC, Relevance: 1.8, APIs: 1, Instructions: 257processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0F2E31D4
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 5edc0529b7583458cede05afc0722f7044679e2484ef146b403e4928e3508e5a
                    • Instruction ID: 72431401ac8fda97bf4c4d26b345d9f244075c9479cb2828f13b02c1e32e6674
                    • Opcode Fuzzy Hash: 5edc0529b7583458cede05afc0722f7044679e2484ef146b403e4928e3508e5a
                    • Instruction Fuzzy Hash: A891E0B4C0422D8FCB21CFA5C880BDDBBB5AF59304F5590A9E549B7220DB70AE85CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E61B8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0F2E628B
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: a6c2d53be64d26673f54c9bae96dd3c68021789176e2f762cc970c4f4b7d8758
                    • Instruction ID: 6b85728db0de5dd295ff41dc06856b28df9f547f08091de8e0a9a75a94270b18
                    • Opcode Fuzzy Hash: a6c2d53be64d26673f54c9bae96dd3c68021789176e2f762cc970c4f4b7d8758
                    • Instruction Fuzzy Hash: 8641AAB4D012589FCF00CFA9D984AEEFBF1BB49314F64942AE819B7200D774AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E5AC9, Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0F2E5B7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 5caeb9b5f28e8181749ee688c27adb91f2da53b8d6929ca2d4ac1c92a00d01db
                    • Instruction ID: c0ccdc6b39c4fb3371a1e809f5c31030c7921a3540f8af932c5e035b4c58b422
                    • Opcode Fuzzy Hash: 5caeb9b5f28e8181749ee688c27adb91f2da53b8d6929ca2d4ac1c92a00d01db
                    • Instruction Fuzzy Hash: 1D4199B8D04258DBCF10CFA9D884ADEFBB5BB49314F14942AE815B7310D735A905CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E5AD0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0F2E5B7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 9377a7cfccd98f08974c80d866fe82ccf3112e368800fbef60fb91a3a886dbe5
                    • Instruction ID: f4888fedccd054fa82253e9f492dd18c5cd86dd5c463bb1a3aa90d125bcf15d5
                    • Opcode Fuzzy Hash: 9377a7cfccd98f08974c80d866fe82ccf3112e368800fbef60fb91a3a886dbe5
                    • Instruction Fuzzy Hash: 0731A6B8D042589FCF10CFA9D880AEEFBB5BB49314F14942AE815B7310D735A906CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E4FD0, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNELBASE(?,?), ref: 0F2E5087
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 22b4a81eb277722d814385f225bb5b45eb9be29711f94858c56decc9c486ea0c
                    • Instruction ID: 65dacfe2106f3980e56f50588f197409dd915edc45fb0fc2ac3f5c5892b42d20
                    • Opcode Fuzzy Hash: 22b4a81eb277722d814385f225bb5b45eb9be29711f94858c56decc9c486ea0c
                    • Instruction Fuzzy Hash: 0541DCB4D102589FCB10DFAAD884AEEFBB0AF49314F64802AE415B7201D739A945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E6730, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNELBASE(?,?), ref: 0F2E67E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 7832130ec13c5c1793752f5a0a4e89cfe4c455f470e8ccbb2ee915a5e0a75ab6
                    • Instruction ID: 6d8159d4369b1ef409b39f6316f2fdd6cfd66293c4011b4487547ca515631c4e
                    • Opcode Fuzzy Hash: 7832130ec13c5c1793752f5a0a4e89cfe4c455f470e8ccbb2ee915a5e0a75ab6
                    • Instruction Fuzzy Hash: 5B41CBB4D102589FCF10DFAAD884AEEFBF1BB49314F64802AE414B7201D778A949CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9938, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 016A99E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 7ead742fee3600ca5d62cd1e696b9a21fc1d09c39f6d435360cbb3b8188fd264
                    • Instruction ID: 90fbd73c4663884a78ebcef231e80d0ab02786d40e5259a7ba3e6b46365bc380
                    • Opcode Fuzzy Hash: 7ead742fee3600ca5d62cd1e696b9a21fc1d09c39f6d435360cbb3b8188fd264
                    • Instruction Fuzzy Hash: 9D31A9B9D002589FCF10CFAAE884ADEFBB0BB09314F24902AE815B7310C774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AE0AF, Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 016AE199
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 152adff2df3f0960db87a0c5e3cf8c64850878844c6646222d27455ba1ac113a
                    • Instruction ID: f5463793cb2860c7d27a668555a52e11c7e4e0fd9a3ff0ffff8f4006b5e354d8
                    • Opcode Fuzzy Hash: 152adff2df3f0960db87a0c5e3cf8c64850878844c6646222d27455ba1ac113a
                    • Instruction Fuzzy Hash: 9C41F9B4D05218DFCB00CFA9E884AEEFBF4AB09304F14946AE404B7311C735AA46CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AA344, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 016ADAE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 51f03f6efb621af8e2bdde14970eebf3e5a381cf7d7eb56a03f106a10155f2e7
                    • Instruction ID: 9563f8ff0eea5f5255693c08e4636061ba065236d90845d34c3b0c6c8c06afc8
                    • Opcode Fuzzy Hash: 51f03f6efb621af8e2bdde14970eebf3e5a381cf7d7eb56a03f106a10155f2e7
                    • Instruction Fuzzy Hash: 2B31A8B9D042589FCF14CFAAE884AEEFBB0AB09310F14942AE815B7310D774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8CA4, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 016A99E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 73fee42157067ab353dafb0fef22c91b5b4a873cb66ff3e7eabd0ba94fa7b497
                    • Instruction ID: 978f23a34c8d54653a6ea93814544b199c3ca37e9ede6973d93e232657c22052
                    • Opcode Fuzzy Hash: 73fee42157067ab353dafb0fef22c91b5b4a873cb66ff3e7eabd0ba94fa7b497
                    • Instruction Fuzzy Hash: F531AAB4D042589FCF10CFAAE884ADEFBB0BB09314F24902AE815B7310D774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016ADA38, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 016ADAE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 67740f40d6dcbc7e14ea61baa8b5107329b841d234e111332f73c2da9b8dba95
                    • Instruction ID: 15fc605fa2cea301da218272618b7e6fe3dd3b258a466444f21c128513954b05
                    • Opcode Fuzzy Hash: 67740f40d6dcbc7e14ea61baa8b5107329b841d234e111332f73c2da9b8dba95
                    • Instruction Fuzzy Hash: 1031A6B9D002189FCF10CFA9E984AEEFBB0BB19314F24902AE814B7310D735A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E6738, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNELBASE(?,?), ref: 0F2E67E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 67b929100caf2c2b0d0e7bdc56a1fa610f80f7ab28a191e19704f3c5c577c5a5
                    • Instruction ID: c47bd2a616f67c7b87d9ba97f46e584b15b5339741eb5350416fa5aff55d51f3
                    • Opcode Fuzzy Hash: 67b929100caf2c2b0d0e7bdc56a1fa610f80f7ab28a191e19704f3c5c577c5a5
                    • Instruction Fuzzy Hash: 7031BBB4D102589FCF14DFAAD884AEEFBF1BB49314F64842AE414B7200D778A949CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E4FD8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNELBASE(?,?), ref: 0F2E5087
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 314bdd13f83963880589ee8c3f32badc25a3b0bc308634b8b054e29b9354b0e5
                    • Instruction ID: 24239d244629eb7397f8245cdb6bbdf02398d809229436b5b52374ef60367ea9
                    • Opcode Fuzzy Hash: 314bdd13f83963880589ee8c3f32badc25a3b0bc308634b8b054e29b9354b0e5
                    • Instruction Fuzzy Hash: FE31CBB4D102589FCB10DFAAD884AEEFBF0BB49314F64802AE414B7200D738A945CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AA37C, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 016AE199
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 447dafb43efae5c158652f5e341758e716ca93709470056f6bc3c8cedb3b82cc
                    • Instruction ID: ca38a584f5ea63829540a7a32cc69bb4d3e26b6cb388c6c03d8f40931fd01508
                    • Opcode Fuzzy Hash: 447dafb43efae5c158652f5e341758e716ca93709470056f6bc3c8cedb3b82cc
                    • Instruction Fuzzy Hash: 3231D9B4D01228DFCB10CFA9D884AEEFBF5AB49314F54846AE405B7310D335AA45CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AE0FA, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 016AE199
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 5b864b585aee90715a5a164e3ebb9e4cf28768434d959390b66c2c793c69c96a
                    • Instruction ID: 526bf2791b8de9abfda1f08429cbb2cc515afdd14744daaf84f7bc95c8fa3c59
                    • Opcode Fuzzy Hash: 5b864b585aee90715a5a164e3ebb9e4cf28768434d959390b66c2c793c69c96a
                    • Instruction Fuzzy Hash: C731B9B4D01218DFCB10CFAAD984AEEFBF5AB49314F14846AE404B7350D374AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E6988, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                    Download Yara Rule
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 0F2E6A0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 27f3802786f08b0db3a4c632320066cb374ba97e4a297c008804032b25ed4d87
                    • Instruction ID: bbca6b0d20947703c04d268f7f07bbe27ebb54aea050b80ca8d1b87316724851
                    • Opcode Fuzzy Hash: 27f3802786f08b0db3a4c632320066cb374ba97e4a297c008804032b25ed4d87
                    • Instruction Fuzzy Hash: 5231CBB4D102199FCF14DFA9E984AEEFBB1AB49314F64942AE419B7300C735A905CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E6990, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                    Download Yara Rule
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 0F2E6A0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: d5d5e964226e8792fcf3d1dc373114e0dff4782f613fa6e711a37cee5065ca58
                    • Instruction ID: c01e3da150ed26575ba9ca80abacde9131e079a9700e5b7dbfded3331f651b8c
                    • Opcode Fuzzy Hash: d5d5e964226e8792fcf3d1dc373114e0dff4782f613fa6e711a37cee5065ca58
                    • Instruction Fuzzy Hash: CA31ACB4D102589FCF14DFA9D984AEEFBB4AB49314F14942AE815B7300D774A905CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD6D8, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8a1e972e85ecd91fb184d1476cdd240c13efa9badd0a4317425f8df969537b0c
                    • Instruction ID: 7aa1182032cea7366d31e6cd1feb4dbc635158086d68852e9a212b11df97bd80
                    • Opcode Fuzzy Hash: 8a1e972e85ecd91fb184d1476cdd240c13efa9badd0a4317425f8df969537b0c
                    • Instruction Fuzzy Hash: E6216AB1504284DFCB01DF54D9C0BA6BB65FB8832CF2085A8EA054BA06D336D846CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD7C4, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eeeef3f5cd29f2fbf307a99aab78515a2ebeedb872ab0697014208852ba2af8a
                    • Instruction ID: ff5baa0a156c6fecf9acf50ac3d8b9a5f9634eeb8a3a8e67f3b7eacb511b52fb
                    • Opcode Fuzzy Hash: eeeef3f5cd29f2fbf307a99aab78515a2ebeedb872ab0697014208852ba2af8a
                    • Instruction Fuzzy Hash: 852148B1504244DFCB11DF54D9C0B66BF65FB8432CF248578EA098BA07D336D406CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD7BF, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction ID: bd2ca26d5f090910ac19e06eb87b99189cdb5a0a5f9cbd61cdd8757189fddf5d
                    • Opcode Fuzzy Hash: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction Fuzzy Hash: CA11D376804280CFCB16CF54D9C4B56BF71FB84328F28C6A9D9494BA17C33AD45ACBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD6D3, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction ID: 652b6b4db4b131bf87f9fe16f2398a5611c31dad6b820be314546d38dbfd631d
                    • Opcode Fuzzy Hash: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction Fuzzy Hash: 1811D376404280DFCB12CF54D5C4B96BF71FB84328F2486A9D9090BA17D33AD45ACBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD21D, Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56a7418557710ae36301b6248d7a06bc374c24ba8bee9d836c3d9a07ad75a9ca
                    • Instruction ID: 4b910bc2130b307672924a33cb1194cf2f2fa592f17cb8a38e06e6494f22db03
                    • Opcode Fuzzy Hash: 56a7418557710ae36301b6248d7a06bc374c24ba8bee9d836c3d9a07ad75a9ca
                    • Instruction Fuzzy Hash: 9B01F771408384AAE7205B6ADCC47A6BB9CEF4123CF188459EF095FA46D378D844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 013BD21C, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.240229289.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3c49bae94806865420141ea593368f0af4cd1599bcf5af231b94764f396aff4
                    • Instruction ID: 42f34a0fe060b63e358c60c48d9c028cfc84208c4fb9eadaf3206882ebdb5aff
                    • Opcode Fuzzy Hash: a3c49bae94806865420141ea593368f0af4cd1599bcf5af231b94764f396aff4
                    • Instruction Fuzzy Hash: F6F06871404384AEEB118E5ADCC47A2FF98EF41678F18C45AEE085F646D3799844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 016AF648, Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.240308512.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D0l
                    • API String ID: 0-3512419482
                    • Opcode ID: 32b167114e4d99c2f75ad1fed56222ab6732b9da3c6f94a8075dfbdd03064a7d
                    • Instruction ID: 319b5a3db97fcd4d4d29f5c6816230b228ce99de54c33d827d16557bc26a66f9
                    • Opcode Fuzzy Hash: 32b167114e4d99c2f75ad1fed56222ab6732b9da3c6f94a8075dfbdd03064a7d
                    • Instruction Fuzzy Hash: BDB1D630708612CFDB641B3D9C1627E79B6AF80A45F9584ADEA82C7A94DF34CD42CB53
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E5368, Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: @T
                    • API String ID: 0-2192118636
                    • Opcode ID: 5911a14b14830761e10ee869d44ed883f012bcfa2aad6595a77823580f39c564
                    • Instruction ID: 8a5ef751ed918b91a45a0201b7e0a126b92414fd44be80532f35a6f9e01feb22
                    • Opcode Fuzzy Hash: 5911a14b14830761e10ee869d44ed883f012bcfa2aad6595a77823580f39c564
                    • Instruction Fuzzy Hash: D4E107B4E10119CFCB14DFA9C5819AEFBB2FF88309F648169D514AB356DB30A942CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E11A8, Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: p)
                    • API String ID: 0-2274439359
                    • Opcode ID: 98a6b641dba85d67bfbc9873f71399da15adde20190242fde84a7b877a86087e
                    • Instruction ID: 2e7a213f45cd97e43029feb7fd3d26fa1afbbf4780d9e31633345b9b8df5f165
                    • Opcode Fuzzy Hash: 98a6b641dba85d67bfbc9873f71399da15adde20190242fde84a7b877a86087e
                    • Instruction Fuzzy Hash: ADE116B4E101198FCB14DFA9C5809AEFBF2BF89305F648169D514AB356DB30A942CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E4738, Relevance: .3, Instructions: 343COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 694f0be8c6208b534f0c512e859466880e43d796e7396e22f872557abcabde3f
                    • Instruction ID: d17bf46a41f0a91452180c09c6e3c8bf7672a137defc187088224ade4627d487
                    • Opcode Fuzzy Hash: 694f0be8c6208b534f0c512e859466880e43d796e7396e22f872557abcabde3f
                    • Instruction Fuzzy Hash: 9BE1F875E002188FDB58DFA9CC90BDDB7B2AF88314F5485A9D609AB352EB305E85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E1620, Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d24aea4b85fdde3609aa95de7891720325cd95e0540f2341727b715ad84d281
                    • Instruction ID: 9cdb78961a54d4f21cc75c4f8386f231cef0dc79c42af801f7d9b14eee70141b
                    • Opcode Fuzzy Hash: 2d24aea4b85fdde3609aa95de7891720325cd95e0540f2341727b715ad84d281
                    • Instruction Fuzzy Hash: 2AE128B4E101198FCB14DFA9C5909AEFBF2FF89304F648169D514AB356DB30A942CF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E2930, Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5968098507a8ab741604b456350b7f990ac4bbd09bdec7c28a8e753d0fc5e3a7
                    • Instruction ID: 7bb98cb1dea04cdb86f4ba9d9bb07056febf3a5c278991dac9338ad01b8c0b3b
                    • Opcode Fuzzy Hash: 5968098507a8ab741604b456350b7f990ac4bbd09bdec7c28a8e753d0fc5e3a7
                    • Instruction Fuzzy Hash: A1E127B4E10119CFCB14DFA9C590AAEFBB6FF88304F248169D515AB356DB30A942CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0F2E35F0, Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.247812535.000000000F2E0000.00000040.00000001.sdmp, Offset: 0F2E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 589aa47bf7b9e329e62eb9aeda3122f3e0608db0a2afdf66a226bf29ecc778ae
                    • Instruction ID: 4baf9a3b5e8d63402cf72d75bebae51b1a666b3ad0e4c19c74f8ca10d4852d8c
                    • Opcode Fuzzy Hash: 589aa47bf7b9e329e62eb9aeda3122f3e0608db0a2afdf66a226bf29ecc778ae
                    • Instruction Fuzzy Hash: 40E116B4E101198FCB14DFA9C5809AEFBB2FF89305F648169D514AB356DB30AD42CF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: Invoice# 77-83992-8297382 (2).exe PID: 5800 Parent PID: 4120 Invoice# 77-83992-8297382 (2).exeCOMMON

                    Executed Functions

                    Function 066B3558, Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.621679473.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf5fc1665fec753e3cae4b2f5e032e4d7bb30935fa4106facf858c8d4b4dd131
                    • Instruction ID: 51daed5144870b2ba54817c16675761a271d40606e4b5aa0cea659a8176abe22
                    • Opcode Fuzzy Hash: cf5fc1665fec753e3cae4b2f5e032e4d7bb30935fa4106facf858c8d4b4dd131
                    • Instruction Fuzzy Hash: 79814CB1E04219DFDB50DFA9D8806DEBBB1FF48314F20852AD415BB350DB74A98ACB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 02F0962E
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 8249fae7fd2077436ade697dca7300875552907b029e1ae5188ae2723695fc4e
                    • Instruction ID: abd85e8f0b7d5a4abe036ece1d67bc4f91f961c9cd58a7d5a2e6e5f739266e04
                    • Opcode Fuzzy Hash: 8249fae7fd2077436ade697dca7300875552907b029e1ae5188ae2723695fc4e
                    • Instruction Fuzzy Hash: 1C713470A00B058FD724DF2AD58475BBBF1BF88648F00892ED686D7A90EB75E845CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F0FD0A
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 280de34a4b2f51c8ed2e59cb6b227388fbdd05f709837e8d52873abfab430ba5
                    • Instruction ID: 905b21414afe078e1088f4f901054bb1085319c5b1b05fa109beaef9ca3abb7c
                    • Opcode Fuzzy Hash: 280de34a4b2f51c8ed2e59cb6b227388fbdd05f709837e8d52873abfab430ba5
                    • Instruction Fuzzy Hash: AE6157B1D053889FDB15CFA9D880ACEBFB1BF49314F28815EE415AB252CB359846CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F0FD0A
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: ea1bdd2f1daf69abccf99e0734dbc6fb1b0cd5cd9d8bf80fe679ed57e697202a
                    • Instruction ID: d300478808bdf0a66037dd2a38c96afec1ff7661ce66e70b4700073b44405772
                    • Opcode Fuzzy Hash: ea1bdd2f1daf69abccf99e0734dbc6fb1b0cd5cd9d8bf80fe679ed57e697202a
                    • Instruction Fuzzy Hash: 3E5112B1C05249AFDF11CFA9D880ADEBFB2FF48314F14826AE909AB261D7719845DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 066B18F5, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON
                    Download Yara Rule
                    APIs
                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 066B3738
                    Memory Dump Source
                    • Source File: 00000001.00000002.621679473.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                    Similarity
                    • API ID: Query_
                    • String ID:
                    • API String ID: 428220571-0
                    • Opcode ID: e66e91a8b8d5532876bd7bb18f164670e258134abcdf6075d94bbe4f8f4302b7
                    • Instruction ID: 0a905540714b29006179f36ae45d3b6d9020fcb41a50cd48df714ed98c6543e8
                    • Opcode Fuzzy Hash: e66e91a8b8d5532876bd7bb18f164670e258134abcdf6075d94bbe4f8f4302b7
                    • Instruction Fuzzy Hash: AE5105B1D04258DFDB50CFA9C8846DEBBB1BF48314F248129E815BB350DBB4A986CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 066B3604, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 066B3738
                    Memory Dump Source
                    • Source File: 00000001.00000002.621679473.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                    Similarity
                    • API ID: Query_
                    • String ID:
                    • API String ID: 428220571-0
                    • Opcode ID: 58e3548fa3f69320ab2d689bd74ea6e980aa7e5215af9def506f32203ff9b785
                    • Instruction ID: aa1c127678d4bd649abf2243402023815f27c25cad9b7b2c40aad448aafb886c
                    • Opcode Fuzzy Hash: 58e3548fa3f69320ab2d689bd74ea6e980aa7e5215af9def506f32203ff9b785
                    • Instruction Fuzzy Hash: 2551F3B1D00219DFDB50CFA9D9846DEBBB1BF48314F248129E815BB350DBB4A986CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 066B18FC, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                    Download Yara Rule
                    APIs
                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 066B3738
                    Memory Dump Source
                    • Source File: 00000001.00000002.621679473.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                    Similarity
                    • API ID: Query_
                    • String ID:
                    • API String ID: 428220571-0
                    • Opcode ID: 104a4bb68cd0ae4786a8b11cd10c3aaeb7c0d72b968e848a3d7511a26ae131fa
                    • Instruction ID: 7cd32afb6fa4772cf4d1883b2212154eab0b9b5fbf7da46b1acc96fe263d1dbe
                    • Opcode Fuzzy Hash: 104a4bb68cd0ae4786a8b11cd10c3aaeb7c0d72b968e848a3d7511a26ae131fa
                    • Instruction Fuzzy Hash: 3951E2B1D00619DFDB50CFA9D8846DEBBB1BF48314F248129E815BB350DBB4A986CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F0FD0A
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 755120313391fff34983d8045674f14609ed40056fc65ecae60c5b22381ed620
                    • Instruction ID: 2453847cfc3afec195a2f72dd4dc56bc07f4f6a5f061433edf7244f5cf526301
                    • Opcode Fuzzy Hash: 755120313391fff34983d8045674f14609ed40056fc65ecae60c5b22381ed620
                    • Instruction Fuzzy Hash: 2251E2B1D00308DFDB14CF99D884ADEBBB5BF48354F24822AE919AB650DB709845CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F0BCC6,?,?,?,?,?), ref: 02F0BD87
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 456c3d65fb871a81755e2b88aefc5af5c15684732534ff5353794d0d0da364b0
                    • Instruction ID: f8664d6eee5715c66af7949c2d51f40e87f3c53412e22f4688e080b6c70de266
                    • Opcode Fuzzy Hash: 456c3d65fb871a81755e2b88aefc5af5c15684732534ff5353794d0d0da364b0
                    • Instruction Fuzzy Hash: E721E5B59012089FDB10DFAAD984AEEFBF4EB48324F14841AE915A7350D374A944DFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F0BCC6,?,?,?,?,?), ref: 02F0BD87
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 6a2041786692193fc8b914e092bd0ffb1c0ef389668ece669b9564387053008d
                    • Instruction ID: 9ad87b286a1f346b082ac80c431810650f1dd830d26eb5f3bb725d4218ccbe84
                    • Opcode Fuzzy Hash: 6a2041786692193fc8b914e092bd0ffb1c0ef389668ece669b9564387053008d
                    • Instruction Fuzzy Hash: DE2103B5D012089FCB10CFA9D584AEEFBF4EB08324F14841AE955B3310C339A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F08768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F096A9,00000800,00000000,00000000), ref: 02F098BA
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 8efc9a15efc72508ed0d13803e89ce1013b56308dff5cae19fbc583bf3e5888a
                    • Instruction ID: 8a21e4cd8e93c702fac2ed4ed96ba6e4c7c2cca323241d9f5af0566d390822e1
                    • Opcode Fuzzy Hash: 8efc9a15efc72508ed0d13803e89ce1013b56308dff5cae19fbc583bf3e5888a
                    • Instruction Fuzzy Hash: DE1133B6D002088FCB10CFAAD484BDEFBF4EB48364F44842AE915A7700C3B5A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F09849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F096A9,00000800,00000000,00000000), ref: 02F098BA
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 27198bc2a956f9739e18e16dcc24a27eef7d5b18faf8d0f7a64a08d74e0aeb79
                    • Instruction ID: 17084492c46b8ddd76f0b70f6619d304c74b7339679ed7c848c90413b5044f66
                    • Opcode Fuzzy Hash: 27198bc2a956f9739e18e16dcc24a27eef7d5b18faf8d0f7a64a08d74e0aeb79
                    • Instruction Fuzzy Hash: 1E1133B6C002088FDB10CF9AD484ADEFBF4AB48324F54842AE515A7740C375A545CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 02F0962E
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 84cbdac0d3689a454033c524affd9bc059138881a7725707dc0c40eff271c4ce
                    • Instruction ID: 42c2a2785fd4a4e84aaa6b7ff5cde7e7a62557469a0a6fd4353409b4167dbd1a
                    • Opcode Fuzzy Hash: 84cbdac0d3689a454033c524affd9bc059138881a7725707dc0c40eff271c4ce
                    • Instruction Fuzzy Hash: 041110B5C006498FCB20CF9AD484BDEFBF4AB88328F14841AD529A7640D375A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02F0FE28,?,?,?,?), ref: 02F0FE9D
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 69ec5e3ce3c2681119a0bd75c0a511a5f586e80501277ca261ed08f0f5a11606
                    • Instruction ID: 816776b4c328f5cf1c620638bab40ec564db84cef59ae287ee18fb4ac202351c
                    • Opcode Fuzzy Hash: 69ec5e3ce3c2681119a0bd75c0a511a5f586e80501277ca261ed08f0f5a11606
                    • Instruction Fuzzy Hash: EA1136B5900208CFCB20DF9AD584BDFBBF8EB48324F108559E919A3741C374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02F0FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02F0FE28,?,?,?,?), ref: 02F0FE9D
                    Memory Dump Source
                    • Source File: 00000001.00000002.615953697.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 39f6fbe023b2516f52066eea3aaf60d29662da70ea925b4aebad093fde2a4313
                    • Instruction ID: 4ef957d56bbb8c38b713f7e162648f178eb7ec17fdc32270a6b049de650caf08
                    • Opcode Fuzzy Hash: 39f6fbe023b2516f52066eea3aaf60d29662da70ea925b4aebad093fde2a4313
                    • Instruction Fuzzy Hash: F611F2B58002089FDB20DF9AD589BDFBBF8EB48324F10855AE919B7741C774A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0132D4A0, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.615067928.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b381e942aa6d470571a4cadc5b233160ccd92fdd767cbfa0d3898c05602cc1ab
                    • Instruction ID: 59bca254e1048ddc11395224553425845ac019567b6752c1a0a1a6cf8ebf97e9
                    • Opcode Fuzzy Hash: b381e942aa6d470571a4cadc5b233160ccd92fdd767cbfa0d3898c05602cc1ab
                    • Instruction Fuzzy Hash: 492148B1504244DFDB01EF94D9C0B26BF65FB8432CF30C569E9050B616C376E805CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0164D01C, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.615573223.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1149a4cb0431a05888e8a01c903f58cd114f6b9b4f3cced64176477286acc1d
                    • Instruction ID: 87ae9d22070477e1304ee2e041174d6aacd1e64b85a7afdcf4cc4ffe0424eefa
                    • Opcode Fuzzy Hash: f1149a4cb0431a05888e8a01c903f58cd114f6b9b4f3cced64176477286acc1d
                    • Instruction Fuzzy Hash: 832122B1904240DFCB15DFA4DDC0B26BB65FB94B58F20C9ADE80A4B346C33AD847CA61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0132D49B, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.615067928.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction ID: e6d4e0bf59d7d5c33e9cc5b267a0c39adceaee3e89ced714bb857d9291cc8511
                    • Opcode Fuzzy Hash: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction Fuzzy Hash: 5E11AF76804280CFDB12DF58D5C4B16BF71FB84328F3486A9D9050B617C376D45ACBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0164D017, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.615573223.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 088bb676d9cc58b7b5583b2d12a323ce7eb7cea81b0eb8fe1e3b9802e29bf41a
                    • Instruction ID: b990da66b9bf65f400fe869bf62ad77198cc06450ee58ebf992adc8cfec87d96
                    • Opcode Fuzzy Hash: 088bb676d9cc58b7b5583b2d12a323ce7eb7cea81b0eb8fe1e3b9802e29bf41a
                    • Instruction Fuzzy Hash: 3E11BE75904280CFCB12CF54D9C4B15FB61FB44714F24C6A9D8094B756C33AD44ACB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: dhcpmon.exe PID: 1020 Parent PID: 3388 dhcpmon.exeCOMMON

                    Executed Functions

                    Function 0E995E35, Relevance: 2.1, APIs: 1, Instructions: 568injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E99628B
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 50ce04bc61be99753740ef3dd25c3f986090255dc163c54dbf95ca9b71ceef52
                    • Instruction ID: fa5ce2d6c603173fdbd20b203137d171b5aa4c0838bf5f19e6d2721d18de33ed
                    • Opcode Fuzzy Hash: 50ce04bc61be99753740ef3dd25c3f986090255dc163c54dbf95ca9b71ceef52
                    • Instruction Fuzzy Hash: 5041DAB5D052489FCF00CFA9D884AEEBBF0BF09314F14946AE814BB201D334A946DF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E9930FC, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0E9932F4
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 2188f0ccbed161e2d2843403f80cd3259f17ff9356654f6cee2252a9a93b3a5d
                    • Instruction ID: f7c714a34972084ef968d373d9fe943fc6c13d2eea663ef8d1879abe089e59f9
                    • Opcode Fuzzy Hash: 2188f0ccbed161e2d2843403f80cd3259f17ff9356654f6cee2252a9a93b3a5d
                    • Instruction Fuzzy Hash: A291E0B4D0422D8FCF25CFA9C880BDDBBB5AB19304F0590A9E549B7220DB70AE85CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E993108, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0E9932F4
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 0d5b4a44d2967508058b3f44741938f8139564f01efa0ae297714e1cbc1daa29
                    • Instruction ID: 4d5c5a052569f7278db6397554ea366cf773b10d64144146c775d1eeaef32936
                    • Opcode Fuzzy Hash: 0d5b4a44d2967508058b3f44741938f8139564f01efa0ae297714e1cbc1daa29
                    • Instruction Fuzzy Hash: FA91D0B4D0422D8FCF25CFA9C880BDDBBB5AB19304F4590A9E549B7220DB70AE85CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E9961B8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E99628B
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 7c9ec5a112beb570b4421a8882127636f36bb39240ea09e6146916e193f644bd
                    • Instruction ID: f16d9b7474480a47863df4f2e20492087593973aa396a5c5d5098b79596e13bb
                    • Opcode Fuzzy Hash: 7c9ec5a112beb570b4421a8882127636f36bb39240ea09e6146916e193f644bd
                    • Instruction Fuzzy Hash: 2B4197B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE819B7200D778AA45DF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E995AC9, Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0E995B7A
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: db7a8fda9ae80c74f1209e94f1e810ff19d3cb229cbc0ab95cb556e77c3a68ad
                    • Instruction ID: 7e29bc569177b49b96044cfbf2dd89421ba36b9b52850bf40288838ae249e879
                    • Opcode Fuzzy Hash: db7a8fda9ae80c74f1209e94f1e810ff19d3cb229cbc0ab95cb556e77c3a68ad
                    • Instruction Fuzzy Hash: 4731B5B8D042589FCF10CFA9D980AEEFBB1AF09314F14942AE815BB310D734A906CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E995AD0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0E995B7A
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 41d1e623de0591ddc20e2d6647be244aab520c031630a5f6bf64b1e8c1c4c962
                    • Instruction ID: 554ef1b7771565ebc683c07fd13de1424037af952cdf7641f0c98cd0da7210bb
                    • Opcode Fuzzy Hash: 41d1e623de0591ddc20e2d6647be244aab520c031630a5f6bf64b1e8c1c4c962
                    • Instruction Fuzzy Hash: 9231A6B8D042589FCF10CFA9D880AEEFBB5BB49314F10942AE815B7310D735A906CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E996730, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNELBASE(?,?), ref: 0E9967E7
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 1fead793038f118781e719129879cc52320101779e55ff1b8100b74a0e95a138
                    • Instruction ID: 9d978872af0a87658e0ea8dd40ebf2f83f12bd2a060ac7ae8184a075849a0800
                    • Opcode Fuzzy Hash: 1fead793038f118781e719129879cc52320101779e55ff1b8100b74a0e95a138
                    • Instruction Fuzzy Hash: 5341BCB4D002589FCF10DFAAD884AEEFBF1AF49314F14842AE415B7201D738A945CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DB9938, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DB99E7
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 1058dbd0f4239c1f42f1ee886415d1d5b42bdc32848ec8b2380968e41d8885ad
                    • Instruction ID: 7cc9f610b2602f212445b2a0318c3a58ea5092b0469085d54ee2ab734a892d06
                    • Opcode Fuzzy Hash: 1058dbd0f4239c1f42f1ee886415d1d5b42bdc32848ec8b2380968e41d8885ad
                    • Instruction Fuzzy Hash: E43198B9D042589FCF10CFA9E484AEEFBB0AB09310F14946AE855B7210C774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DBDA38, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DBDAE7
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 70974c7e31d5b0ed28899fb3cebdc48af9a9937767c4206a452ac9c0318aa26f
                    • Instruction ID: 0ba4f2481caccca9d91b4877a6f603b62ed9eb2338db29282c28d2aee9c4e100
                    • Opcode Fuzzy Hash: 70974c7e31d5b0ed28899fb3cebdc48af9a9937767c4206a452ac9c0318aa26f
                    • Instruction Fuzzy Hash: 1031A8B9D042189FCB14CFA9E984ADEFBB1AB09310F24902AE815B7210D774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E994FD0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNELBASE(?,?), ref: 0E995087
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: f1c07243259638ba10bc5fcab4252355276506d152a0928dbf78b0370cbc9329
                    • Instruction ID: 43e222f2b62810603a38e4a9c5c3469d6471611749dcf3b2269b5689e1b6615d
                    • Opcode Fuzzy Hash: f1c07243259638ba10bc5fcab4252355276506d152a0928dbf78b0370cbc9329
                    • Instruction Fuzzy Hash: 0841A9B4D012589FCF14DFA9D884AEEFBF1AF48314F14842AE419B7200D739A949CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DB9940, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DB99E7
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: e42e6dab8cb1a8644f250e2584b433bfee1c480c4745bdaf513e39297decd1e8
                    • Instruction ID: d9367ea550376833aba9d53e3cfdac58f2b355694f448aac0103c5fc764a5c96
                    • Opcode Fuzzy Hash: e42e6dab8cb1a8644f250e2584b433bfee1c480c4745bdaf513e39297decd1e8
                    • Instruction Fuzzy Hash: 6A3177B9D042589FCF10CFAAE984ADEFBB0AB09310F24942AE915B7310D775A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DBDA40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DBDAE7
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 243bf795e51c49c02a52aba865566528d299ab5b650a48339e9889aac55f2e88
                    • Instruction ID: 51ee111618a2d92949be253c15d1ce5ad3cb6a0bee0bec6afa9108c7d84556d4
                    • Opcode Fuzzy Hash: 243bf795e51c49c02a52aba865566528d299ab5b650a48339e9889aac55f2e88
                    • Instruction Fuzzy Hash: FB3197B9D042589FCF10CFAAE884ADEFBB1AB09310F24942AE815B7310D774A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E994FD8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNELBASE(?,?), ref: 0E995087
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 72045e0bda42242619d55d722e40737e3cdac7621b89b224b62b1ad8850f4d8a
                    • Instruction ID: ddb5327fc7e570e05a605bdbd4b3a6b610f51198ff1f6fbcaef4490f8fe5e645
                    • Opcode Fuzzy Hash: 72045e0bda42242619d55d722e40737e3cdac7621b89b224b62b1ad8850f4d8a
                    • Instruction Fuzzy Hash: 3E31BBB4D012589FCF10DFAAD884AEEFBF1AF48314F14842AE419B7200D739A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E996738, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNELBASE(?,?), ref: 0E9967E7
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 59f8835110ec8f16b631954f60ba03aff6a20083ef3f42484ea1ad34f0db202b
                    • Instruction ID: dbd499db8a15ccf1000e7de58a68f286cab1f3611343952e9a1298003746c983
                    • Opcode Fuzzy Hash: 59f8835110ec8f16b631954f60ba03aff6a20083ef3f42484ea1ad34f0db202b
                    • Instruction Fuzzy Hash: 6431BBB5D002589FCF10DFAAD884AEEFBF1AF48314F14842AE415B7200D738A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DBE1F7, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 00DBE199
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 573b2045c50ce6f7cb5580fe066dd6815291aaec83c080a2be3ad8ccc3376b05
                    • Instruction ID: c1932a123681fdb1b75733e23b9110c5d0a2a78a3c9eaec646a7bc1bab634b93
                    • Opcode Fuzzy Hash: 573b2045c50ce6f7cb5580fe066dd6815291aaec83c080a2be3ad8ccc3376b05
                    • Instruction Fuzzy Hash: A8411778D04208DFCF00EFA8E9446EDBBB4FF49309F14899AE406A7251DB746A46CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DBA37C, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 00DBE199
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 1babd1f98039115db35eb3871dd8d6101016c36550287123a3d6b10525fb125e
                    • Instruction ID: c4eab85bc474ab8e0a30269111d6e34568a2ba000f68e51911c1de711f23d279
                    • Opcode Fuzzy Hash: 1babd1f98039115db35eb3871dd8d6101016c36550287123a3d6b10525fb125e
                    • Instruction Fuzzy Hash: F531A9B4D05218DFCB10CFA9D884AEEFBF5AB49314F24846AE405B7310D374AA46CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DBE0FA, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 00DBE199
                    Memory Dump Source
                    • Source File: 00000004.00000002.289138636.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: a5896312f1f2d6ddd29e595be4e83d0a18ae83cc031915cfda88953967e6389b
                    • Instruction ID: fed1102a35e0ab536084f9599a24a13d5155902593d3d36e27b9c96d6850a51c
                    • Opcode Fuzzy Hash: a5896312f1f2d6ddd29e595be4e83d0a18ae83cc031915cfda88953967e6389b
                    • Instruction Fuzzy Hash: CB31A9B4D05258DFCB10CFA9D884AEEFBF1AF49314F28846AE455B7250D334AA46CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E996988, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                    Download Yara Rule
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 0E996A0E
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: cf62f2eacf2cb79ef73f9bc693b261c05832cabcf4754e609df9db9c3b47443e
                    • Instruction ID: 18794febe37ab92d2b610714ab23de1af05403e68f289b912c3b07a0d302fdf3
                    • Opcode Fuzzy Hash: cf62f2eacf2cb79ef73f9bc693b261c05832cabcf4754e609df9db9c3b47443e
                    • Instruction Fuzzy Hash: 2E31BCB4D05258AFCF14CFA9D984ADEFBB4AF49314F14942AE415B7300D734A942CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0E996990, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                    Download Yara Rule
                    APIs
                    • ResumeThread.KERNELBASE(?), ref: 0E996A0E
                    Memory Dump Source
                    • Source File: 00000004.00000002.304793089.000000000E990000.00000040.00000001.sdmp, Offset: 0E990000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 0c4b9dfeeec8a09150037c53812192575e05ff94694342da76d01eca17201c4f
                    • Instruction ID: 732285f59f4210641d6ba95526d3641ed93162e6995b29ef9a7e4b5ae43542d3
                    • Opcode Fuzzy Hash: 0c4b9dfeeec8a09150037c53812192575e05ff94694342da76d01eca17201c4f
                    • Instruction Fuzzy Hash: 3631BDB4D052189FCF14DFAAD984ADEFBB4AF48314F14942AE815B7300D734A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: dhcpmon.exe PID: 6228 Parent PID: 1020 dhcpmon.exeCOMMON

                    Executed Functions

                    Function 0126B6C0, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0126B730
                    • GetCurrentThread.KERNEL32 ref: 0126B76D
                    • GetCurrentProcess.KERNEL32 ref: 0126B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 0126B803
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 4ea965786087d559f79570a6bfd9195b9b9b1127c7ad313c1ccb8cc47658d506
                    • Instruction ID: e4f97dc9d77cd4ca75ffa99362c21b8a04e5df90a94f3d206c6c0b7ad6eff197
                    • Opcode Fuzzy Hash: 4ea965786087d559f79570a6bfd9195b9b9b1127c7ad313c1ccb8cc47658d506
                    • Instruction Fuzzy Hash: 985157B4E007458FDB14DFAAD648BDEBBF4AF48314F248899E019A3391C7349889CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0126B730
                    • GetCurrentThread.KERNEL32 ref: 0126B76D
                    • GetCurrentProcess.KERNEL32 ref: 0126B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 0126B803
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: b20a9408fb55192f07f9edb15e1c5ab7d1366c5394e5bbcc0941dbb401b7cd18
                    • Instruction ID: 2fef2818c4ef634e171cfadf10e806ad695a2cd835a1ee4fde066dd189680643
                    • Opcode Fuzzy Hash: b20a9408fb55192f07f9edb15e1c5ab7d1366c5394e5bbcc0941dbb401b7cd18
                    • Instruction Fuzzy Hash: 405156B0E003498FDB14DFAAD548BDEBBF4AF48314F248499E119A3390C7749988CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126FAA0, Relevance: 1.7, APIs: 1, Instructions: 220COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0126FD0A
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: c4e74948c9868bff8d9f00879dfc9e2f3b054e031c74c0f61687a37816c73fc4
                    • Instruction ID: 6ce95eb4079e154bebd4dc1f592df9d4148d56a5bedaa79a9446672283b8a661
                    • Opcode Fuzzy Hash: c4e74948c9868bff8d9f00879dfc9e2f3b054e031c74c0f61687a37816c73fc4
                    • Instruction Fuzzy Hash: 33818F71C183889FDF02CFA5D890ADDBFB5EF0A314F19819AE944AB2A2D3749444CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 012693E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0126962E
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: e73e8aa6ebffb3f9dc93751848fd6d601bc69ed471fd13cb823ce476eaee7f17
                    • Instruction ID: ea90cf2390d89127d3a3cdcdcbfb8e03e0153038a5891122da2104e47d8152d1
                    • Opcode Fuzzy Hash: e73e8aa6ebffb3f9dc93751848fd6d601bc69ed471fd13cb823ce476eaee7f17
                    • Instruction Fuzzy Hash: 61714770A10B068FDB24DF2AD44575ABBF5FF88218F00892DE586D7A80DB75E885CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0126FD0A
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: fd72ac8f467d82c76615aa5b42a2220d7bf1f54b20c5ae6b1cb5389295d55ade
                    • Instruction ID: 20be05b2bb745b48279712f797ad39d8739bb59ad928b7bf6577f77d3630f735
                    • Opcode Fuzzy Hash: fd72ac8f467d82c76615aa5b42a2220d7bf1f54b20c5ae6b1cb5389295d55ade
                    • Instruction Fuzzy Hash: BF41D1B1D103099FDF14CF9AD984ADEBFB5BF48314F24812AE819AB250D770A985CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126BDC1, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0126BD87
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: f12cd3423c9e11e1c16fe596f84df1c7cd46c656755b7305ef82e44d693a2105
                    • Instruction ID: d5532bf9c718712b16bfefb19e47e57fa2e28f3460df44656cbb29fe37caf83c
                    • Opcode Fuzzy Hash: f12cd3423c9e11e1c16fe596f84df1c7cd46c656755b7305ef82e44d693a2105
                    • Instruction Fuzzy Hash: FA314B7CA40B40DFE715AB70F54A7A93BB5E79A701F104629F9098B7C9DB744802CF10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0126BD87
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: ec055352a038fd54ce90f269f6bb4f3e8975a9df89530d0f093f4da5ae6e89d7
                    • Instruction ID: be7ddbf33ffd06f941b4f136e525c0d4c7c82e854a09cb0785d283a06dd8e658
                    • Opcode Fuzzy Hash: ec055352a038fd54ce90f269f6bb4f3e8975a9df89530d0f093f4da5ae6e89d7
                    • Instruction Fuzzy Hash: AA21C4B59002099FDB10DFAAD984ADEFFF8EB48324F14841AE955A7350D374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126BCF9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0126BD87
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 150431d764abd4785453d8c890f1e8e324384d4bd933bde9e78c3b1c52ab23af
                    • Instruction ID: d6fb1c6a3ebe6c90807291513f2baa823e1417c8e87f225f74182698af801923
                    • Opcode Fuzzy Hash: 150431d764abd4785453d8c890f1e8e324384d4bd933bde9e78c3b1c52ab23af
                    • Instruction Fuzzy Hash: E521E3B59002099FDB10CFAAD584BEEBBF8AB48324F14841AE955A7350C374A954CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01268768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012696A9,00000800,00000000,00000000), ref: 012698BA
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 1705803ff159bcb55979fde1ec93612b7d1504c18aacaa45957309c8f4f2513a
                    • Instruction ID: e3a23e6a21fb5e65c41e1e58c29d16e245ea0198bb17d1746a6c971c024fa2c8
                    • Opcode Fuzzy Hash: 1705803ff159bcb55979fde1ec93612b7d1504c18aacaa45957309c8f4f2513a
                    • Instruction Fuzzy Hash: AB11F2B69002099FDB10DF9AC444B9EFBF8AB88324F14842AE519A7640C775A985CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01269849, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012696A9,00000800,00000000,00000000), ref: 012698BA
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: f881298ec56c5579f37eb8f6c2737cdb34ba7d338f97e87535bd8098b966b117
                    • Instruction ID: 9b3fbd6af4dfeb771691fb22a8f7ed7689080ef44a5c4a923338a20bc7c3603a
                    • Opcode Fuzzy Hash: f881298ec56c5579f37eb8f6c2737cdb34ba7d338f97e87535bd8098b966b117
                    • Instruction Fuzzy Hash: 1D11E2B6D00209CFDB14CFAAD544BDEFBF8AB48324F15842AE515B7640C774A585CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 012695C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0126962E
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 2ec3bdc452676827286713f7650ffaa7b44a81bd26faefd8f3eb7a03e72f1f08
                    • Instruction ID: f30343e7400879f5e1d6bd77caff1ac8b37126cb41e13173f34c249d5007dbe4
                    • Opcode Fuzzy Hash: 2ec3bdc452676827286713f7650ffaa7b44a81bd26faefd8f3eb7a03e72f1f08
                    • Instruction Fuzzy Hash: 3B11E0B5C007498FDB20DF9AD444BDEFBF8AF88228F14841AD529A7640C775A985CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126FE38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 0126FE9D
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 640b333862ea4353c90c59093e47f97da0d5407c02a119d18de0d60a115745f2
                    • Instruction ID: 6f2ab65fdf430ffe7d907a547729eac8c3f3bf8b8b8e174cb8d6e37768c31a20
                    • Opcode Fuzzy Hash: 640b333862ea4353c90c59093e47f97da0d5407c02a119d18de0d60a115745f2
                    • Instruction Fuzzy Hash: 8A1103B5C002098FDB10DF99D685BDEBBF8EB48324F14884AE915B3741C374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0126FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 0126FE9D
                    Memory Dump Source
                    • Source File: 00000007.00000002.308075483.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 2f07109f081199d5ac83b4c2922b8cc8cbd58b046765086be26d499cec59333a
                    • Instruction ID: 07da9cb1001035facf6e4583823523db13a53dfd93081e09bbd02e2ad3bcab4b
                    • Opcode Fuzzy Hash: 2f07109f081199d5ac83b4c2922b8cc8cbd58b046765086be26d499cec59333a
                    • Instruction Fuzzy Hash: AD1115B58002099FDB10DF9AD985BDEBFF8EB48324F10841AE915A3340C374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F1D4A0, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.307763397.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25ccd1a72bb6cfb3f0ed9c436b1c7f66aae0a1fdd5bbca5ac873566e73f2362f
                    • Instruction ID: 58d980e50b996ddeeac1918e939e39c2a889a907d4bd75296d9450fe4b600918
                    • Opcode Fuzzy Hash: 25ccd1a72bb6cfb3f0ed9c436b1c7f66aae0a1fdd5bbca5ac873566e73f2362f
                    • Instruction Fuzzy Hash: F0216AB2904240DFDB01DF14D9C0B67BF76FB84328F348569E9050B206C336D885EBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011BD01C, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.307877694.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf3679a1495b9653405c10a3436b047d9251f4dacaf06e2aad069d863cae4414
                    • Instruction ID: d4d1a45b0096dd8aa786bb67f33beb690baab81b1d146b80e899b0a88037de60
                    • Opcode Fuzzy Hash: cf3679a1495b9653405c10a3436b047d9251f4dacaf06e2aad069d863cae4414
                    • Instruction Fuzzy Hash: F3212571504240DFCF1DDF64E9C0B66BB65FB84358F24C5A9E80A4B246C736D807CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011BD006, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.307877694.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e5b3ee87bbd2ff1e43ca69633335566b6bc515609cafd26f5273338acb01313d
                    • Instruction ID: e88a1d1b744455498445a6e365c538b17225f079938cd1d14967bb9db67fe83e
                    • Opcode Fuzzy Hash: e5b3ee87bbd2ff1e43ca69633335566b6bc515609cafd26f5273338acb01313d
                    • Instruction Fuzzy Hash: 852180754083809FCB06CF24D9D4B11BF71EB46314F28C5DAD8498B667C33A985ACB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F1D49B, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.307763397.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction ID: fc5a1f59ec2c0f3bebe09bf2dc7b990ab48f2b95e4b92c0056c7f6eaab826182
                    • Opcode Fuzzy Hash: 4c44e5517e690f366dff050201c0b94941bd0826892d3e316883c0148e970eb9
                    • Instruction Fuzzy Hash: 8F11B176804280CFCB12CF14D5C4B56BF72FB94324F2886A9D8050B616C336D89ADBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions