Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 256ec8f8f67b59c5e085b0bb63afcd13.exe

Overview

General Information

Sample Name:256ec8f8f67b59c5e085b0bb63afcd13.exe
Analysis ID:355753
MD5:0bbcc2e64e3edf053ed4af2c0bafb0eb
SHA1:c006b8d2ec4b92f441815b20f1bdadf98eab1b4d
SHA256:52d01903f7c366e01359a00ea771ca1f71d4e1bb54731290bc62c3a218f5af80
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • 256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6416 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
      • schtasks.exe (PID: 6540 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6632 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2460 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • dhcpmon.exe (PID: 6500 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
  • dhcpmon.exe (PID: 7160 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
    • dhcpmon.exe (PID: 5748 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x23877:$a: NanoCore
    • 0x238d0:$a: NanoCore
    • 0x2390d:$a: NanoCore
    • 0x23986:$a: NanoCore
    • 0x238d9:$b: ClientPlugin
    • 0x23916:$b: ClientPlugin
    • 0x24214:$b: ClientPlugin
    • 0x24221:$b: ClientPlugin
    • 0x1b5fe:$e: KeepAlive
    • 0x23d61:$g: LogClientMessage
    • 0x23ce1:$i: get_Connected
    • 0x158a9:$j: #=q
    • 0x158d9:$j: #=q
    • 0x15915:$j: #=q
    • 0x1593d:$j: #=q
    • 0x1596d:$j: #=q
    • 0x1599d:$j: #=q
    • 0x159cd:$j: #=q
    • 0x159fd:$j: #=q
    • 0x15a19:$j: #=q
    • 0x15a49:$j: #=q
    00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x23761d:$x1: NanoCore.ClientPluginHost
    • 0x26a03d:$x1: NanoCore.ClientPluginHost
    • 0x23765a:$x2: IClientNetworkHost
    • 0x26a07a:$x2: IClientNetworkHost
    • 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x237385:$a: NanoCore
      • 0x237395:$a: NanoCore
      • 0x2375c9:$a: NanoCore
      • 0x2375dd:$a: NanoCore
      • 0x23761d:$a: NanoCore
      • 0x269da5:$a: NanoCore
      • 0x269db5:$a: NanoCore
      • 0x269fe9:$a: NanoCore
      • 0x269ffd:$a: NanoCore
      • 0x26a03d:$a: NanoCore
      • 0x2373e4:$b: ClientPlugin
      • 0x2375e6:$b: ClientPlugin
      • 0x237626:$b: ClientPlugin
      • 0x269e04:$b: ClientPlugin
      • 0x26a006:$b: ClientPlugin
      • 0x26a046:$b: ClientPlugin
      • 0x1835a1:$c: ProjectData
      • 0x23750b:$c: ProjectData
      • 0x269f2b:$c: ProjectData
      • 0x237f12:$d: DESCrypto
      • 0x26a932:$d: DESCrypto
      Click to see the 62 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      14.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 122 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ProcessId: 6416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ParentProcessId: 6416, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', ProcessId: 6540

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeJoe Sandbox ML: detected
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Uses new MSVCR DllsShow sources
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904860246.0000000002A85000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680575404.0000000008770000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907073740.0000000005920000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.717914840.00000000082E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724995186.00000000076E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.734162357.0000000008310000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then lea ecx, dword ptr [ebp-30h]

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: cloudhost.myfirewall.org
        Source: global trafficTCP traffic: 192.168.2.4:49743 -> 79.134.225.105:5654
        Source: Joe Sandbox ViewIP Address: 79.134.225.105 79.134.225.105
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: cloudhost.myfirewall.org
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639797895.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639860700.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639918482.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy5
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639900319.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgne
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639918482.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlay
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639797895.00000000056BE000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639991224.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.640116720.00000000056BE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypooo
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642010809.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642401940.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmln
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.641965748.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/k
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642184941.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642184941.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643199147.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642893460.00000000056B5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/mzN
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFpz3
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsekz
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.676929479.0000000005680000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.676929479.0000000005680000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commzN
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comWh2
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comi
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639259634.0000000005684000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639244161.00000000056BD000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639394139.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639244161.00000000056BD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.644178396.000000000568D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.637926766.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com;
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.637926766.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638866258.0000000005686000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krC
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638866258.0000000005686000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr~y8
        Source: dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638355631.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638389150.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comFalMY~
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638412498.000000000569B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comalMY~
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.2fd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3493a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5980000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3393ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3021680.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_052516DA NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_0525169F NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05479960
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05470878
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_054730D0
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05472F1F
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05479950
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_054799F6
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05474050
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05470868
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_054730C0
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05475B17
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05473E08
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05473E18
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_06DA06E5
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_00C42050
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_02AC0C8B
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_051289D8
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_05123850
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_05122FA8
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_0512B238
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_051295D8
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_0512306F
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_0512969F
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_008F2050
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C9960
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C0878
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C30D0
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C2F1F
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C9950
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C99F6
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C4050
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C0868
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C30C0
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C5B17
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C3E18
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C3E08
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_06CB06E5
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_00DA2050
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02562F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02560878
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_025630D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02569960
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02563E18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02563E08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02565B17
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02564050
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02564060
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02560868
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_025630C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02569950
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_025699F6
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_05EF06E5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_001C2050
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F9960
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F0878
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F30D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F2F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F9950
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F99F6
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F0868
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F4060
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F4050
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F30C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F5B17
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F3E18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F3E08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_06B506E5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00DB2050
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 11_2_05633850
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 11_2_056323A0
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 11_2_05632FA8
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 11_2_0563306F
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 11_2_00E02050
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeBinary or memory string: OriginalFilename vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680775118.0000000008940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680630357.00000000087D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680575404.0000000008770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeBinary or memory string: OriginalFilename vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.905334352.0000000003011000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907237424.0000000005C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.906613014.0000000005230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907073740.0000000005920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907733213.00000000064D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeBinary or memory string: OriginalFilename vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.717914840.00000000082E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.718049286.0000000008340000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.702880837.00000000014FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeBinary or memory string: OriginalFilename vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.722198116.0000000005750000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeBinary or memory string: OriginalFilename) vs 256ec8f8f67b59c5e085b0bb63afcd13.exe
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.2fd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.2fd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3493a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3493a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5980000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5980000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3393ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3393ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3021680.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3021680.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/8@20/1
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_0525149A AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_05251463 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\256ec8f8f67b59c5e085b0bb63afcd13.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d1470c94-c693-4be3-b7c3-884d57fb2b86}
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile created: C:\Users\user\AppData\Local\Temp\tmp98F0.tmpJump to behavior
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile read: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe 'C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp'
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp'
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904860246.0000000002A85000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680575404.0000000008770000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907073740.0000000005920000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.717914840.00000000082E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724995186.00000000076E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.734162357.0000000008310000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 0_2_05477743 push ds; retf
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_055C7743 push ds; retf
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_06CB0440 push ss; retf
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_06CB0500 push ss; retf
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 7_2_06CB052C push ss; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02567743 push ds; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017F7743 push ds; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.95731162888
        Source: initial sampleStatic PE information: section name: .text entropy: 7.95731162888
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeFile opened: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeWindow / User API: foregroundWindowGot 860
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 5936Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 6876Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 6876Thread sleep count: 216 > 30
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 6876Thread sleep count: 234 > 30
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 6648Thread sleep count: 204 > 30
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 6872Thread sleep time: -200000s >= -30000s
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7136Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe TID: 4864Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7064Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5724Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_052511C2 GetSystemInfo,
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907733213.00000000064D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907733213.00000000064D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907733213.00000000064D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000003.890425064.0000000006290000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907733213.00000000064D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeMemory written: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeMemory written: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp'
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp'
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeProcess created: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.905453286.00000000030CF000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904742882.0000000001590000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904742882.0000000001590000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904742882.0000000001590000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.905334352.0000000003011000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.905334352.0000000003011000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_05252906 bind,
        Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exeCode function: 2_2_052528E3 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture11Security Software Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355753 Sample: 256ec8f8f67b59c5e085b0bb63a... Startdate: 21/02/2021 Architecture: WINDOWS Score: 100 48 cloudhost.myfirewall.org 2->48 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 8 other signatures 2->58 9 256ec8f8f67b59c5e085b0bb63afcd13.exe 3 2->9         started        13 dhcpmon.exe 3 2->13         started        15 dhcpmon.exe 2 2->15         started        17 256ec8f8f67b59c5e085b0bb63afcd13.exe 2 2->17         started        signatures3 process4 file5 46 256ec8f8f67b59c5e085b0bb63afcd13.exe.log, ASCII 9->46 dropped 62 Injects a PE file into a foreign processes 9->62 19 256ec8f8f67b59c5e085b0bb63afcd13.exe 1 14 9->19         started        24 dhcpmon.exe 2 13->24         started        26 dhcpmon.exe 15->26         started        28 256ec8f8f67b59c5e085b0bb63afcd13.exe 2 17->28         started        signatures6 process7 dnsIp8 50 cloudhost.myfirewall.org 79.134.225.105, 49743, 49744, 49745 FINK-TELECOM-SERVICESCH Switzerland 19->50 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmp98F0.tmp, XML 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->60 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        file9 signatures10 process11 process12 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        256ec8f8f67b59c5e085b0bb63afcd13.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        cloudhost.myfirewall.org1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        cloudhost.myfirewall.org1%VirustotalBrowse
        cloudhost.myfirewall.org0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.comFalMY~0%Avira URL Cloudsafe
        http://www.sandoll.co.kr~y80%Avira URL Cloudsafe
        http://www.sajatypeworks.com;0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.comF0%Avira URL Cloudsafe
        http://www.carterandcone.comypooo0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.comypo0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.carterandcone.comV0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.carterandcone.comlay0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sandoll.co.krC0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fonts.comc0%URL Reputationsafe
        http://www.fonts.comc0%URL Reputationsafe
        http://www.fonts.comc0%URL Reputationsafe
        http://www.carterandcone.comgy0%Avira URL Cloudsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.fonts.comi0%Avira URL Cloudsafe
        http://www.carterandcone.comcy50%Avira URL Cloudsafe
        http://www.fonts.comWh20%Avira URL Cloudsafe
        http://www.tiro.comalMY~0%Avira URL Cloudsafe
        http://www.fonts.comX0%Avira URL Cloudsafe
        http://www.fontbureau.comFpz30%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.fontbureau.comalsekz0%Avira URL Cloudsafe
        http://www.carterandcone.comint0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn70%Avira URL Cloudsafe
        http://www.fontbureau.commzN0%Avira URL Cloudsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.sajatypeworks.coma-d0%Avira URL Cloudsafe
        http://www.fontbureau.comals0%URL Reputationsafe
        http://www.fontbureau.comals0%URL Reputationsafe
        http://www.fontbureau.comals0%URL Reputationsafe
        http://www.carterandcone.comgne0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        cloudhost.myfirewall.org
        		79.134.225.105
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        cloudhost.myfirewall.orgtrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersG256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThe256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.tiro.comFalMY~256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638389150.000000000569B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.fontbureau.com/designers?256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
              		high
              http://www.sandoll.co.kr~y8256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638866258.0000000005686000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.sajatypeworks.com;256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.637926766.000000000569B000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.tiro.comdhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersdhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                		high
                http://www.tiro.comF256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638355631.000000000569B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comypooo256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.640116720.00000000056BE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.goodfont.co.kr256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639797895.00000000056BE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersQ256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642184941.00000000056B5000.00000004.00000001.sdmpfalse
                  		high
                  http://www.carterandcone.comypo256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639797895.00000000056BE000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639991224.00000000056BE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/mzN256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sajatypeworks.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netD256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThe256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htm256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersb256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643199147.00000000056B5000.00000004.00000001.sdmpfalse
                      		high
                      http://www.galapagosdesign.com/DPlease256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comV256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.kr256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlay256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.urwpp.deDPlease256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cn256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sandoll.co.krC256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638866258.0000000005686000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersr256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642893460.00000000056B5000.00000004.00000001.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.644178396.000000000568D000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comc256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comgy256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639918482.00000000056BE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comTC256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639860700.00000000056BE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comi256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmln256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642401940.00000000056B5000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.comcy5256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639918482.00000000056BE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comWh2256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comalMY~256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638412498.000000000569B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.fonts.comX256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.638167842.000000000569B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comFpz3256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.coml256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639394139.0000000005684000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlN256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalsekz256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comint256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639713902.00000000056BE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers&256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642010809.00000000056B5000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639259634.0000000005684000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639244161.00000000056BD000.00000004.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.html256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn7256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639244161.00000000056BD000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.commzN256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.676929479.0000000005680000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comm256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.676929479.0000000005680000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.coma-d256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.637926766.000000000569B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/k256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.641965748.00000000056B5000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers8256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.732352387.0000000005A00000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers=256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.642184941.00000000056B5000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comals256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.643315337.0000000005684000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comgne256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000003.639900319.00000000056BE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            79.134.225.105
                                            		unknownSwitzerland
                                            		6775FINK-TELECOM-SERVICESCHtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:355753
                                            Start date:21.02.2021
                                            Start time:19:09:11
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:256ec8f8f67b59c5e085b0bb63afcd13.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:24
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@18/8@20/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 1.3% (good quality ratio 1.3%)
                                            • Quality average: 88.6%
                                            • Quality standard deviation: 6.7%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 168.61.161.212, 52.147.198.201, 40.126.31.137, 40.126.31.6, 20.190.159.138, 20.190.159.134, 40.126.31.8, 20.190.159.136, 40.126.31.1, 40.126.31.143, 93.184.220.29, 51.104.144.132, 13.107.4.50, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                            • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, Edge-Prod-FRA.env.au.au-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:09:59API Interceptor852x Sleep call for process: 256ec8f8f67b59c5e085b0bb63afcd13.exe modified
                                            19:10:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            19:10:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe" s>$(Arg0)
                                            19:10:14Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                            19:10:15API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            79.134.225.105d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                              73a4f40d0affe5eea89174f8917bba73.exeGet hashmaliciousBrowse
                                                9a08c8a2b49d6348f2ef35f85a1c6351.exeGet hashmaliciousBrowse
                                                  7eec14e7cec4dc93fbf53e08998b2340.exeGet hashmaliciousBrowse
                                                    f2a22415c1b108ce91fd76e3320431d0.exeGet hashmaliciousBrowse
                                                      1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                        1464bbe24dac1f403f15b3c3860f37ca.exeGet hashmaliciousBrowse
                                                          1d78424ce6944359d546dbcbc030f19e.exeGet hashmaliciousBrowse
                                                            84ab43f7eda35ae038b199d3a3586b77.exeGet hashmaliciousBrowse
                                                              Require_Quote_20200128 SSG.pdf ind.exeGet hashmaliciousBrowse
                                                                DHL FILE 987634732.exeGet hashmaliciousBrowse
                                                                  file.exeGet hashmaliciousBrowse
                                                                    NKF20205 LIST.exeGet hashmaliciousBrowse
                                                                      URGENT PO.exeGet hashmaliciousBrowse
                                                                        scan002947779488.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          cloudhost.myfirewall.org9a08c8a2b49d6348f2ef35f85a1c6351.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105
                                                                          zSDBuG8gDl.exeGet hashmaliciousBrowse
                                                                          • 185.229.243.67
                                                                          65d1beae1fc7eb126cd4a9b277afb942.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          f2a22415c1b108ce91fd76e3320431d0.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105
                                                                          1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105
                                                                          5134b758f8eb77424254ce67f4697ffe.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          460f7e6048ed3ca91f1573a7410fedd6.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          1d78424ce6944359d546dbcbc030f19e.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          FINK-TELECOM-SERVICESCHJOIN.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.30
                                                                          Delivery pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.25
                                                                          d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105
                                                                          fnfqzfwC44.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.25
                                                                          Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          Nrfgylra.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.62
                                                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.62
                                                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.62
                                                                          Form pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.25
                                                                          Quotation 3342688.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.120
                                                                          REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.76
                                                                          Orden.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.6
                                                                          Ordine.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.11
                                                                          73a4f40d0affe5eea89174f8917bba73.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.105
                                                                          ToolNcatalogpri00088756564162021.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.45
                                                                          INV WJD000030036000137675999, xlsx.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.69
                                                                          Kreuzmayr_PO_22656_65564345565643ETD,pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.73
                                                                          jYHhaKx7OH.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.96
                                                                          request.docGet hashmaliciousBrowse
                                                                          • 79.134.225.69

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):412672
                                                                          Entropy (8bit):7.944378053087377
                                                                          Encrypted:false
                                                                          SSDEEP:6144:x/7jHNyWI+b1m3N2teCoTpkB/Bm8V/7bLf8q2/MQo1m1dupfmndJLvG:fEaE3N20CBTHU/Noydupf2
                                                                          MD5:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          SHA1:C006B8D2EC4B92F441815B20F1BDADF98EAB1B4D
                                                                          SHA-256:52D01903F7C366E01359A00EA771CA1F71D4E1BB54731290BC62C3A218F5AF80
                                                                          SHA-512:0BED9AC8299A16BA8F9DEFA6160A97654B08C86BF038367FC5508A90240C5801320955DCA4D452FD7E41F16CC1A71A20AC0A946D80101DC65E9495C15F98EF3C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:low
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._h2`..............0..@..........j^... ...`....@.. ....................................@..................................^..O....`.. ............................................................................ ............... ..H............text...p>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc...............J..............@..B................L^......H.......LQ..$>......\...p................................................0...........r...p.+..*..0...........r...p.+..*".(.....*^..}.....(.......(.....*.0...........s....%.{....o....o......+..*..*.0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......(......{....o.....{....o......{....o.....{....o......{........s ...o!.....{....r...po".....{.... .....#s#...o$.....{.....o%.
                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\256ec8f8f67b59c5e085b0bb63afcd13.exe.log
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):525
                                                                          Entropy (8bit):5.2874233355119316
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                          Malicious:true
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):525
                                                                          Entropy (8bit):5.2874233355119316
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Temp\tmp98F0.tmp
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1322
                                                                          Entropy (8bit):5.162258309875531
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YbGPxtn:cbk4oL600QydbQxIYODOLedq3uj
                                                                          MD5:B78304EA0D7AFCCEFC8CFF617158D17C
                                                                          SHA1:76DD98BBFE885893DC19059C139EDCB829DFA21E
                                                                          SHA-256:B80490FC583697FD68F2B7D0986C9F3BA3944BDB9AEA7F17C826E26BF1749C7F
                                                                          SHA-512:44682D75002B56551B4075616110FF4887DD298D7B9B96A312BDDAB6AB94A7E42AFADF690CED378FF403337185DD74C77D2B4DABE3BB60B9642C24079AC51067
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Local\Temp\tmpA082.tmp
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1310
                                                                          Entropy (8bit):5.109425792877704
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:JPn:JPn
                                                                          MD5:5BF06D5C11AE13FC9970936540EB0703
                                                                          SHA1:54B778FC0BA984A04D47CB1E5C6E8252E9BE3FF9
                                                                          SHA-256:39974C521C78E35079501265DF5A694586DAB94A7EE52F6E923756C5AFE5F3F0
                                                                          SHA-512:C0CF94EB89C82DD4D0B9F798D1C30D02F93C8A02C526F5605356F649259F23ED47820D99F10B94A34929EC144835D9F389121AEF98E55EB5CB30CCBFF6B0FC30
                                                                          Malicious:true
                                                                          Preview: .>....H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                          Process:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):59
                                                                          Entropy (8bit):4.5831339906659565
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNt+WfWXQj0I/sPDWsC:oNwvAj0Gs7lC
                                                                          MD5:90C08D85024FAD583545EC9562AA4A7E
                                                                          SHA1:FB6483F47BEC7ED49479D276986B4B789D9725AD
                                                                          SHA-256:28D29127F67EA98D32833FAC5491366FEC57805EAFF2B15A8AB9AF2555EADCA3
                                                                          SHA-512:EEC099998337F7294CFA0C273BFC1D31CDBA555935163CC483E00D7451A529ECF71131EAB74549B031EA9F6A15531F68D5CA1A4070D3EB7B97E5CC13D1701C73
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.944378053087377
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          File size:412672
                                                                          MD5:0bbcc2e64e3edf053ed4af2c0bafb0eb
                                                                          SHA1:c006b8d2ec4b92f441815b20f1bdadf98eab1b4d
                                                                          SHA256:52d01903f7c366e01359a00ea771ca1f71d4e1bb54731290bc62c3a218f5af80
                                                                          SHA512:0bed9ac8299a16ba8f9defa6160a97654b08c86bf038367fc5508a90240c5801320955dca4d452fd7e41f16cc1a71a20ac0a946d80101dc65e9495c15f98ef3c
                                                                          SSDEEP:6144:x/7jHNyWI+b1m3N2teCoTpkB/Bm8V/7bLf8q2/MQo1m1dupfmndJLvG:fEaE3N20CBTHU/Noydupf2
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._h2`..............0..@..........j^... ...`....@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00828e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x465e6a
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x6032685F [Sun Feb 21 14:04:15 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v2.0.50727
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x65e180x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x620.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x63e700x64000False0.948125data7.95731162888IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x660000x6200x800False0.3427734375data3.56974614095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x680000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0x660900x390data
                                                                          RT_MANIFEST0x664300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyright2013-2021 (C) Blackboard Learn
                                                                          Assembly Version16.60.0.4
                                                                          InternalName0FDM.exe
                                                                          FileVersion16.69.0.4
                                                                          CompanyNameBlackboard Learn
                                                                          LegalTrademarks
                                                                          CommentsMoodle
                                                                          ProductNameStudent Studio
                                                                          ProductVersion16.69.0.4
                                                                          FileDescriptionStudent Studio
                                                                          OriginalFilename0FDM.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 21, 2021 19:10:14.481653929 CET497435654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:14.565690994 CET56544974379.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:15.072868109 CET497435654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:15.159531116 CET56544974379.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:15.664880037 CET497435654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:15.747469902 CET56544974379.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:19.969670057 CET497445654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:20.058454990 CET56544974479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:20.618283033 CET497445654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:20.703840017 CET56544974479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:21.212810993 CET497445654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:21.301839113 CET56544974479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:25.510416985 CET497455654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:25.595660925 CET56544974579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:26.196866989 CET497455654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:26.282290936 CET56544974579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:26.884773016 CET497455654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:26.970243931 CET56544974579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:31.217709064 CET497465654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:31.301038027 CET56544974679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:31.816807032 CET497465654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:31.899502993 CET56544974679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:32.416230917 CET497465654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:32.501424074 CET56544974679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:36.666985035 CET497515654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:36.751816034 CET56544975179.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:37.307209015 CET497515654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:37.393260002 CET56544975179.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:37.916681051 CET497515654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:38.001872063 CET56544975179.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:42.088305950 CET497525654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:42.175749063 CET56544975279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:42.682614088 CET497525654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:42.768296957 CET56544975279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:43.276427984 CET497525654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:43.364061117 CET56544975279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:48.494093895 CET497545654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:48.576904058 CET56544975479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:49.089562893 CET497545654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:49.172209024 CET56544975479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:49.683207989 CET497545654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:49.765983105 CET56544975479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:53.863328934 CET497555654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:53.950566053 CET56544975579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:54.464886904 CET497555654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:54.550196886 CET56544975579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:55.058656931 CET497555654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:55.144181013 CET56544975579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:59.228866100 CET497645654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:59.318568945 CET56544976479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:10:59.825444937 CET497645654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:10:59.908130884 CET56544976479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:00.418479919 CET497645654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:00.504683018 CET56544976479.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:04.667921066 CET497685654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:04.753856897 CET56544976879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:05.262670040 CET497685654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:05.377309084 CET56544976879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:05.887820959 CET497685654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:05.970722914 CET56544976879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:10.697511911 CET497725654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:10.784476042 CET56544977279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:11.294397116 CET497725654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:11.388797998 CET56544977279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:11.904058933 CET497725654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:11.988487959 CET56544977279.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:16.086658955 CET497755654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:16.169102907 CET56544977579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:16.669847012 CET497755654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:16.762417078 CET56544977579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:17.263628960 CET497755654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:17.346447945 CET56544977579.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:21.496545076 CET497765654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:21.582596064 CET56544977679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:22.092253923 CET497765654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:22.179691076 CET56544977679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:22.685975075 CET497765654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:22.773654938 CET56544977679.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:26.892983913 CET497775654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:26.977591991 CET56544977779.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:27.483406067 CET497775654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:27.567987919 CET56544977779.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:28.077723980 CET497775654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:28.160851002 CET56544977779.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:32.253349066 CET497785654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:32.341033936 CET56544977879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:32.843106031 CET497785654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:32.946002960 CET56544977879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:33.452650070 CET497785654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:33.540216923 CET56544977879.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:37.963520050 CET497795654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:38.048171043 CET56544977979.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:38.577904940 CET497795654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:38.662389040 CET56544977979.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:39.171739101 CET497795654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:39.258052111 CET56544977979.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:43.969376087 CET497805654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:44.054805994 CET56544978079.134.225.105192.168.2.4
                                                                          Feb 21, 2021 19:11:44.562824965 CET497805654192.168.2.479.134.225.105
                                                                          Feb 21, 2021 19:11:44.648353100 CET56544978079.134.225.105192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 21, 2021 19:09:48.930857897 CET5453153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:48.982146978 CET53545318.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:49.823251963 CET4971453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:49.871979952 CET53497148.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:51.212296963 CET5802853192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:51.260798931 CET53580288.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:52.114397049 CET5309753192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:52.168731928 CET53530978.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:53.199487925 CET4925753192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:53.249475002 CET53492578.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:54.438493967 CET6238953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:54.491493940 CET53623898.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:55.249241114 CET4991053192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:55.298619032 CET53499108.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:56.177673101 CET5585453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:56.229222059 CET53558548.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:57.144870043 CET6454953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:57.196521044 CET53645498.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:58.704134941 CET6315353192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:58.752796888 CET53631538.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:09:59.582113028 CET5299153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:09:59.631140947 CET53529918.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:00.345346928 CET5370053192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:00.396811008 CET53537008.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:01.173523903 CET5172653192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:01.225342989 CET53517268.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:02.044966936 CET5679453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:02.093724966 CET53567948.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:03.014596939 CET5653453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:03.064789057 CET53565348.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:03.832214117 CET5662753192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:03.884660959 CET53566278.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:04.691565037 CET5662153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:04.742393970 CET53566218.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:05.521996021 CET6311653192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:05.571896076 CET53631168.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:14.237704992 CET6407853192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:14.307945013 CET53640788.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:19.900085926 CET6480153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:19.956199884 CET53648018.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:25.420279980 CET6172153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:25.490183115 CET53617218.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:31.005204916 CET5125553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:31.065110922 CET53512558.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:32.919872046 CET6152253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:32.982388973 CET53615228.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:33.138350964 CET5233753192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:33.191318989 CET53523378.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:33.450341940 CET5504653192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:33.501333952 CET53550468.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:36.605760098 CET4961253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:36.665493011 CET53496128.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:42.038508892 CET4928553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:42.087125063 CET53492858.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:43.471916914 CET5060153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:43.520714045 CET53506018.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:48.389977932 CET6087553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:48.440829992 CET53608758.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:53.801810980 CET5644853192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:53.860038996 CET53564488.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:54.833420992 CET5917253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:54.928378105 CET53591728.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:55.452928066 CET6242053192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:55.510045052 CET53624208.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:56.095340014 CET6057953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:56.144824028 CET53605798.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:56.231909037 CET5018353192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:56.306546926 CET53501838.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:56.870721102 CET6153153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:56.919975996 CET53615318.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:57.407344103 CET4922853192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:57.497565031 CET53492288.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:58.045015097 CET5979453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:58.133251905 CET53597948.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:58.729538918 CET5591653192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:58.795614958 CET53559168.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:59.175395966 CET5275253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:59.227727890 CET53527528.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:10:59.520904064 CET6054253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:10:59.570298910 CET53605428.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:00.651365995 CET6068953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:00.708756924 CET53606898.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:01.183861017 CET6420653192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:01.243877888 CET53642068.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:04.595330954 CET5090453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:04.662915945 CET53509048.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:09.863444090 CET5752553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:09.914339066 CET53575258.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:09.970029116 CET5381453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:10.047624111 CET53538148.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:10.646823883 CET5341853192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:10.696320057 CET53534188.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:11.946039915 CET6283353192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:12.011301041 CET53628338.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:16.027312040 CET5926053192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:16.085422993 CET53592608.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:21.439564943 CET4994453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:21.494040966 CET53499448.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:26.815378904 CET6330053192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:26.889494896 CET53633008.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:32.201236010 CET6144953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:32.251133919 CET53614498.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:37.896838903 CET5127553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:37.962276936 CET53512758.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:43.917714119 CET6349253192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:43.968136072 CET53634928.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:45.245934963 CET5894553192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:45.295686960 CET53589458.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:49.000189066 CET6077953192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:49.059232950 CET53607798.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:49.281303883 CET6401453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:49.329972982 CET53640148.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:54.650861025 CET5709153192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:11:54.702620029 CET53570918.8.8.8192.168.2.4
                                                                          Feb 21, 2021 19:11:59.986953974 CET5590453192.168.2.48.8.8.8
                                                                          Feb 21, 2021 19:12:00.047180891 CET53559048.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Feb 21, 2021 19:10:14.237704992 CET192.168.2.48.8.8.80x58b3Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:19.900085926 CET192.168.2.48.8.8.80x2e69Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:25.420279980 CET192.168.2.48.8.8.80xc51Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:31.005204916 CET192.168.2.48.8.8.80x9380Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:36.605760098 CET192.168.2.48.8.8.80x18dbStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:42.038508892 CET192.168.2.48.8.8.80xbe86Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:48.389977932 CET192.168.2.48.8.8.80x5bdfStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:53.801810980 CET192.168.2.48.8.8.80x5d7eStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:59.175395966 CET192.168.2.48.8.8.80x964cStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:04.595330954 CET192.168.2.48.8.8.80xce78Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:10.646823883 CET192.168.2.48.8.8.80x80eeStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:16.027312040 CET192.168.2.48.8.8.80x831cStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:21.439564943 CET192.168.2.48.8.8.80xdff9Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:26.815378904 CET192.168.2.48.8.8.80x9982Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:32.201236010 CET192.168.2.48.8.8.80x54b7Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:37.896838903 CET192.168.2.48.8.8.80x429eStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:43.917714119 CET192.168.2.48.8.8.80xcd9dStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:49.281303883 CET192.168.2.48.8.8.80x2942Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:54.650861025 CET192.168.2.48.8.8.80x7faeStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:59.986953974 CET192.168.2.48.8.8.80x3e30Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Feb 21, 2021 19:10:14.307945013 CET8.8.8.8192.168.2.40x58b3No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:19.956199884 CET8.8.8.8192.168.2.40x2e69No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:25.490183115 CET8.8.8.8192.168.2.40xc51No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:31.065110922 CET8.8.8.8192.168.2.40x9380No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:32.982388973 CET8.8.8.8192.168.2.40x73f3No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Feb 21, 2021 19:10:36.665493011 CET8.8.8.8192.168.2.40x18dbNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:42.087125063 CET8.8.8.8192.168.2.40xbe86No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:48.440829992 CET8.8.8.8192.168.2.40x5bdfNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:53.860038996 CET8.8.8.8192.168.2.40x5d7eNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:10:59.227727890 CET8.8.8.8192.168.2.40x964cNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:04.662915945 CET8.8.8.8192.168.2.40xce78No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:10.696320057 CET8.8.8.8192.168.2.40x80eeNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:16.085422993 CET8.8.8.8192.168.2.40x831cNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:21.494040966 CET8.8.8.8192.168.2.40xdff9No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:26.889494896 CET8.8.8.8192.168.2.40x9982No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:32.251133919 CET8.8.8.8192.168.2.40x54b7No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:37.962276936 CET8.8.8.8192.168.2.40x429eNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:43.968136072 CET8.8.8.8192.168.2.40xcd9dNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:49.329972982 CET8.8.8.8192.168.2.40x2942No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:11:54.702620029 CET8.8.8.8192.168.2.40x7faeNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                          Feb 21, 2021 19:12:00.047180891 CET8.8.8.8192.168.2.40x3e30No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720 Parent PID: 6088

                                                                          General

                                                                          Start time:19:09:54
                                                                          Start date:21/02/2021
                                                                          Path:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe'
                                                                          Imagebase:0xc40000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416 Parent PID: 6720

                                                                          General

                                                                          Start time:19:10:08
                                                                          Start date:21/02/2021
                                                                          Path:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x8f0000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 6540 Parent PID: 6416

                                                                          General

                                                                          Start time:19:10:10
                                                                          Start date:21/02/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp'
                                                                          Imagebase:0xc00000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6744 Parent PID: 6540

                                                                          General

                                                                          Start time:19:10:12
                                                                          Start date:21/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: schtasks.exe PID: 6632 Parent PID: 6416

                                                                          General

                                                                          Start time:19:10:12
                                                                          Start date:21/02/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp'
                                                                          Imagebase:0xc00000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6764 Parent PID: 6632

                                                                          General

                                                                          Start time:19:10:13
                                                                          Start date:21/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888 Parent PID: 968

                                                                          General

                                                                          Start time:19:10:14
                                                                          Start date:21/02/2021
                                                                          Path:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe 0
                                                                          Imagebase:0xda0000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: dhcpmon.exe PID: 2460 Parent PID: 968

                                                                          General

                                                                          Start time:19:10:14
                                                                          Start date:21/02/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                          Imagebase:0x1c0000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          Reputation:low

                                                                          Analysis Process: dhcpmon.exe PID: 7160 Parent PID: 3424

                                                                          General

                                                                          Start time:19:10:20
                                                                          Start date:21/02/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                          Imagebase:0xdb0000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260 Parent PID: 6888

                                                                          General

                                                                          Start time:19:10:24
                                                                          Start date:21/02/2021
                                                                          Path:C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xe00000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: dhcpmon.exe PID: 6500 Parent PID: 2460

                                                                          General

                                                                          Start time:19:10:25
                                                                          Start date:21/02/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xb90000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: dhcpmon.exe PID: 5748 Parent PID: 7160

                                                                          General

                                                                          Start time:19:10:36
                                                                          Start date:21/02/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x810000
                                                                          File size:412672 bytes
                                                                          MD5 hash:0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >