Loading ...

Play interactive tourEdit tour

Analysis Report document.exe

Overview

General Information

Sample Name:document.exe
Analysis ID:356144
MD5:a777ee74f09e40b1e32ff3007eb89d14
SHA1:1de57a7c6dc4821ce07a57d4963deadf3bb9b4ff
SHA256:b6afddd574a0d7a3686a9d40bed40387914f3d45f9dd2e6a8962fd9ceae8b755

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • document.exe (PID: 5712 cmdline: 'C:\Users\user\Desktop\document.exe' MD5: A777EE74F09E40B1E32FF3007EB89D14)
    • RegAsm.exe (PID: 752 cmdline: 'C:\Users\user\Desktop\document.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • schtasks.exe (PID: 5212 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5584 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp75FE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 1152 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5676 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 2288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2844 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    Process Memory Space: document.exe PID: 5712Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x8c717:$x1: NanoCore.ClientPluginHost
    • 0x8c778:$x2: IClientNetworkHost
    • 0x91b7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x9faef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.document.exe.17a0000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    1.2.document.exe.17a0000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    1.2.document.exe.17a0000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      1.2.document.exe.17a0000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      1.2.document.exe.17a0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\document.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 752, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp', ProcessId: 5212

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: document.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: document.exeReversingLabs: Detection: 88%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: document.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: document.exeJoe Sandbox ML: detected
      Source: 1.2.document.exe.1430000.1.unpackAvira: Label: TR/Patched.Ren.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Uses new MSVCR DllsShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: wntdll.pdbUGP source: document.exe, 00000001.00000003.421094788.0000000003040000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.21.dr
      Source: Binary string: wntdll.pdb source: document.exe, 00000001.00000003.421094788.0000000003040000.00000004.00000001.sdmp

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: abdul2u.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49737 -> 79.134.225.110:6735
      Source: global trafficTCP traffic: 192.168.2.3:49741 -> 79.134.225.122:6735
      Source: Joe Sandbox ViewIP Address: 79.134.225.110 79.134.225.110
      Source: Joe Sandbox ViewIP Address: 79.134.225.122 79.134.225.122
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.110
      Source: unknownDNS traffic detected: queries for: abdul2u.ddns.net
      Source: document.exe, 00000001.00000002.424198316.00000000016AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: document.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: document.exe PID: 5712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: document.exe PID: 5712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: document.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: document.exe
      Source: C:\Users\user\Desktop\document.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028B200
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_00287270
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_00289CE0
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_002844C0
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_00288370
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 27_2_024B01B7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 30_2_053301B7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 32_2_053E01B7
      Source: document.exe, 00000001.00000002.423533661.0000000000298000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepursuit's.exe, vs document.exe
      Source: document.exe, 00000001.00000003.419309477.000000000335F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs document.exe
      Source: document.exeBinary or memory string: OriginalFilenamepursuit's.exe, vs document.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: document.exe PID: 5712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: document.exe PID: 5712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/10@38/3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2288:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{842b4453-95e5-446e-a346-fefe93a3cc40}
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp72B1.tmpJump to behavior
      Source: document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: document.exeReversingLabs: Detection: 88%
      Source: C:\Users\user\Desktop\document.exeFile read: C:\Users\user\Desktop\document.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\document.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp75FE.tmp'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\document.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\document.exe'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp75FE.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Binary string: wntdll.pdbUGP source: document.exe, 00000001.00000003.421094788.0000000003040000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.21.dr
      Source: Binary string: wntdll.pdb source: document.exe, 00000001.00000003.421094788.0000000003040000.00000004.00000001.sdmp
      Source: document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028F8BB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028ECF5 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 30_2_02C30754 push 00C00000h; ret
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 684
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 666
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 843
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 434
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 1285
      Source: C:\Users\user\Desktop\document.exeAPI coverage: 5.3 %
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2412Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2412Thread sleep time: -34200s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4196Thread sleep time: -540000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5556Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5644Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3776Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: RegAsm.exe, 00000015.00000003.493806449.0000000000EB5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
      Source: RegAsm.exe, 00000015.00000003.493806449.0000000000EB5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
      Source: C:\Users\user\Desktop\document.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028FC26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028F8BB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028FC26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028F363 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028DBBE SetUnhandledExceptionFilter,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\document.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\document.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: BDF008
      Source: C:\Users\user\Desktop\document.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\document.exe'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp75FE.tmp'
      Source: RegAsm.exe, 00000015.00000003.557329568.0000000000EE8000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 00000015.00000003.494486256.0000000000EA3000.00000004.00000001.sdmpBinary or memory string: =rProgram Manager|a
      Source: RegAsm.exe, 00000015.00000003.493806449.0000000000EB5000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegAsm.exe
      Source: C:\Users\user\Desktop\document.exeCode function: 1_2_0028EE9F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: document.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: document.exe, 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: document.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.document.exe.17a0000.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection212Masquerading2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1DLL Side-Loading1Scheduled Task/Job1Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356144 Sample: document.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 43 abdul2u.ddns.net 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 9 other signatures 2->57 9 document.exe 2->9         started        12 dhcpmon.exe 4 2->12         started        14 RegAsm.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 signatures5 61 Writes to foreign memory regions 9->61 63 Maps a DLL or memory area into another process 9->63 18 RegAsm.exe 1 13 9->18         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        process6 dnsIp7 45 abdul2u.ddns.net 79.134.225.122, 49741, 49743, 49744 FINK-TELECOM-SERVICESCH Switzerland 18->45 47 79.134.225.110, 49737, 49738, 49739 FINK-TELECOM-SERVICESCH Switzerland 18->47 49 192.168.2.1 unknown unknown 18->49 37 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmp72B1.tmp, XML 18->39 dropped 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      document.exe88%ReversingLabsWin32.Trojan.Azorult
      document.exe100%AviraHEUR/AGEN.1121608
      document.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.2.document.exe.1430000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      1.0.document.exe.280000.0.unpack100%AviraHEUR/AGEN.1121608Download File
      1.2.document.exe.280000.0.unpack100%AviraHEUR/AGEN.1121608Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      abdul2u.ddns.net
      79.134.225.122
      truetrue
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        79.134.225.110
        unknownSwitzerland
        6775FINK-TELECOM-SERVICESCHfalse
        79.134.225.122
        unknownSwitzerland
        6775FINK-TELECOM-SERVICESCHtrue

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:356144
        Start date:22.02.2021
        Start time:16:35:06
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 14m 9s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:document.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@15/10@38/3
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 97.6% (good quality ratio 93.2%)
        • Quality average: 83.6%
        • Quality standard deviation: 25.9%
        HCA Information:
        • Successful, ratio: 91%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.145.220, 13.64.90.137, 52.147.198.201, 52.255.188.83, 184.30.24.56, 205.185.216.10, 205.185.216.42, 51.104.144.132, 92.122.213.247, 92.122.213.194, 20.54.26.129, 52.155.217.156, 20.190.159.138, 40.126.31.8, 40.126.31.141, 20.190.159.132, 40.126.31.139, 20.190.159.134, 40.126.31.137, 40.126.31.4, 40.127.240.158, 51.11.168.232, 20.49.150.241, 51.104.139.180
        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, cds.d2s7q6s2.hwcdn.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356144/sample/document.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        16:37:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        16:37:39Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
        16:37:40API Interceptor3464x Sleep call for process: RegAsm.exe modified
        16:37:42Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        79.134.225.110P9hBKKQw3T.exeGet hashmaliciousBrowse
          Offer .exeGet hashmaliciousBrowse
            courier parcel awb.exeGet hashmaliciousBrowse
              19RFQ - 2019093000107.exeGet hashmaliciousBrowse
                6RFQ - 2019092700105.exeGet hashmaliciousBrowse
                  18Order #6253743.exeGet hashmaliciousBrowse
                    17Specifications Order #6253743.exeGet hashmaliciousBrowse
                      22SPECIFICATIONS.pdf ind.exeGet hashmaliciousBrowse
                        31QUOTATION 92237.pdf ind.exeGet hashmaliciousBrowse
                          79.134.225.122Bank_Transfer_8312020,pdf.exeGet hashmaliciousBrowse
                            BINDER_Asia_Pacific,pdf.exeGet hashmaliciousBrowse
                              Hyper_Market,pdf.exeGet hashmaliciousBrowse
                                ROKI_Inquiry,pdf.exeGet hashmaliciousBrowse
                                  862020,pdf.exeGet hashmaliciousBrowse
                                    862020,pdf.exeGet hashmaliciousBrowse
                                      inv&packing_list_20625-B,pdf.exeGet hashmaliciousBrowse
                                        no1nCVheI2.exeGet hashmaliciousBrowse
                                          https://onedrive.live.com/download?cid=34207675F7506D94&resid=34207675F7506D94%21140&authkey=AFKMklYJ_WYjTYgGet hashmaliciousBrowse
                                            PO 11253-xlxs.exeGet hashmaliciousBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              abdul2u.ddns.nethttps://onedrive.live.com/download?cid=34207675F7506D94&resid=34207675F7506D94%21140&authkey=AFKMklYJ_WYjTYgGet hashmaliciousBrowse
                                              • 91.193.75.245

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              FINK-TELECOM-SERVICESCH5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              JOIN.exeGet hashmaliciousBrowse
                                              • 79.134.225.30
                                              Delivery pdf.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              fnfqzfwC44.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                              • 79.134.225.96
                                              Nrfgylra.exeGet hashmaliciousBrowse
                                              • 79.134.225.96
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              Form pdf.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              Quotation 3342688.exeGet hashmaliciousBrowse
                                              • 79.134.225.120
                                              REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                              • 79.134.225.76
                                              Orden.exeGet hashmaliciousBrowse
                                              • 79.134.225.6
                                              Ordine.exeGet hashmaliciousBrowse
                                              • 79.134.225.11
                                              73a4f40d0affe5eea89174f8917bba73.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              ToolNcatalogpri00088756564162021.exeGet hashmaliciousBrowse
                                              • 79.134.225.45
                                              INV WJD000030036000137675999, xlsx.exeGet hashmaliciousBrowse
                                              • 79.134.225.69
                                              FINK-TELECOM-SERVICESCH5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              JOIN.exeGet hashmaliciousBrowse
                                              • 79.134.225.30
                                              Delivery pdf.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              fnfqzfwC44.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                              • 79.134.225.96
                                              Nrfgylra.exeGet hashmaliciousBrowse
                                              • 79.134.225.96
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                              • 79.134.225.62
                                              Form pdf.exeGet hashmaliciousBrowse
                                              • 79.134.225.25
                                              Quotation 3342688.exeGet hashmaliciousBrowse
                                              • 79.134.225.120
                                              REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                              • 79.134.225.76
                                              Orden.exeGet hashmaliciousBrowse
                                              • 79.134.225.6
                                              Ordine.exeGet hashmaliciousBrowse
                                              • 79.134.225.11
                                              73a4f40d0affe5eea89174f8917bba73.exeGet hashmaliciousBrowse
                                              • 79.134.225.105
                                              ToolNcatalogpri00088756564162021.exeGet hashmaliciousBrowse
                                              • 79.134.225.45
                                              INV WJD000030036000137675999, xlsx.exeGet hashmaliciousBrowse
                                              • 79.134.225.69

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exew0JlVAbpIT.exeGet hashmaliciousBrowse
                                                Bjdl7RO0K8.exeGet hashmaliciousBrowse
                                                  4hW0TZqN01.exeGet hashmaliciousBrowse
                                                    d4e475d7d17a16be8b9eeac6e10b25af.exeGet hashmaliciousBrowse
                                                      e5bd3238d220c97cd4d6969abb3b33e0.exeGet hashmaliciousBrowse
                                                        1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
                                                          Xf6v0G2wIM.exeGet hashmaliciousBrowse
                                                            jztWD1iKrC.exeGet hashmaliciousBrowse
                                                              wH22vdkhhU.exeGet hashmaliciousBrowse
                                                                AqpOn6nwXS.exeGet hashmaliciousBrowse
                                                                  CklrD7MYX2.exeGet hashmaliciousBrowse
                                                                    FahZG6Pdc4.exeGet hashmaliciousBrowse
                                                                      61WlCsQR9Q.exeGet hashmaliciousBrowse
                                                                        U7DiqWP9qu.exeGet hashmaliciousBrowse
                                                                          d4x5rI09A7.exeGet hashmaliciousBrowse
                                                                            1WW425NrsA.exeGet hashmaliciousBrowse
                                                                              Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                                                                xdNg7FUNS2.exeGet hashmaliciousBrowse
                                                                                  14muK1SuRQ.exeGet hashmaliciousBrowse
                                                                                    9fPECeVI6R.exeGet hashmaliciousBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):53248
                                                                                      Entropy (8bit):4.490095782293901
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
                                                                                      MD5:529695608EAFBED00ACA9E61EF333A7C
                                                                                      SHA1:68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
                                                                                      SHA-256:44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
                                                                                      SHA-512:8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: w0JlVAbpIT.exe, Detection: malicious, Browse
                                                                                      • Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse
                                                                                      • Filename: 4hW0TZqN01.exe, Detection: malicious, Browse
                                                                                      • Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse
                                                                                      • Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse
                                                                                      • Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse
                                                                                      • Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse
                                                                                      • Filename: jztWD1iKrC.exe, Detection: malicious, Browse
                                                                                      • Filename: wH22vdkhhU.exe, Detection: malicious, Browse
                                                                                      • Filename: AqpOn6nwXS.exe, Detection: malicious, Browse
                                                                                      • Filename: CklrD7MYX2.exe, Detection: malicious, Browse
                                                                                      • Filename: FahZG6Pdc4.exe, Detection: malicious, Browse
                                                                                      • Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse
                                                                                      • Filename: U7DiqWP9qu.exe, Detection: malicious, Browse
                                                                                      • Filename: d4x5rI09A7.exe, Detection: malicious, Browse
                                                                                      • Filename: 1WW425NrsA.exe, Detection: malicious, Browse
                                                                                      • Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse
                                                                                      • Filename: xdNg7FUNS2.exe, Detection: malicious, Browse
                                                                                      • Filename: 14muK1SuRQ.exe, Detection: malicious, Browse
                                                                                      • Filename: 9fPECeVI6R.exe, Detection: malicious, Browse
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):20
                                                                                      Entropy (8bit):3.6841837197791887
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QHXMKas:Q3Las
                                                                                      MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                                                      SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                                                      SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                                                      SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: 1,"fusion","GAC",0..
                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):20
                                                                                      Entropy (8bit):3.6841837197791887
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QHXMKas:Q3Las
                                                                                      MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                                                      SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                                                      SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                                                      SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                                                      Malicious:false
                                                                                      Preview: 1,"fusion","GAC",0..
                                                                                      C:\Users\user\AppData\Local\Temp\tmp72B1.tmp
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1319
                                                                                      Entropy (8bit):5.133606110275315
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
                                                                                      MD5:C6F0625BF4C1CDFB699980C9243D3B22
                                                                                      SHA1:43DE1FE580576935516327F17B5DA0C656C72851
                                                                                      SHA-256:8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
                                                                                      SHA-512:9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
                                                                                      Malicious:true
                                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                      C:\Users\user\AppData\Local\Temp\tmp75FE.tmp
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1310
                                                                                      Entropy (8bit):5.109425792877704
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8
                                                                                      Entropy (8bit):3.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:9in:w
                                                                                      MD5:4404174C1B769670A5A19334FCA38266
                                                                                      SHA1:DA1B0E55A4E8548AF5820DF6378DD4A9A44971D1
                                                                                      SHA-256:3A8A6467970123C36B0ACBE5659ADF0D9924C68BB565B64E973518A87C06C7E6
                                                                                      SHA-512:5AB62DEAF1D10E25378314F44C62170DED8AB14F16BB9450B58E156B2F290762B01984A80DFA54263D89D36643F747CB78B50DF6D64301701396072DB19E2CE3
                                                                                      Malicious:true
                                                                                      Preview: .I.8...H
                                                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):56
                                                                                      Entropy (8bit):4.787365359936823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:oMty8WbSXgL4A:oMLWuQL4A
                                                                                      MD5:EFD1636CFC3CC38FD7BABAE5CAC9EDE0
                                                                                      SHA1:4D7D378ABEB682EEFBD039930C0EA996FBF54178
                                                                                      SHA-256:F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
                                                                                      SHA-512:69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
                                                                                      Malicious:false
                                                                                      Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      \Device\ConDrv
                                                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1010
                                                                                      Entropy (8bit):4.298581893109255
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
                                                                                      MD5:367EEEC425FE7E80B723298C447E2F22
                                                                                      SHA1:3873DFC88AF504FF79231FE2BF0E3CD93CE45195
                                                                                      SHA-256:481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
                                                                                      SHA-512:F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
                                                                                      Malicious:false
                                                                                      Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.562048565874239
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:document.exe
                                                                                      File size:320595
                                                                                      MD5:a777ee74f09e40b1e32ff3007eb89d14
                                                                                      SHA1:1de57a7c6dc4821ce07a57d4963deadf3bb9b4ff
                                                                                      SHA256:b6afddd574a0d7a3686a9d40bed40387914f3d45f9dd2e6a8962fd9ceae8b755
                                                                                      SHA512:4ac57b62ae762565725e9ccc533c5221fc3ec165f265132da4bce75094bb74636946dbf9e56ea123a48b3800da9486bcea63285e58512f7b5a721f6b953cde81
                                                                                      SSDEEP:6144:793puKfSbitErTqTkmgcKq2e3B0sYE5P17s7TomYn70XaN5L+FYUdp:nuqtqSkmgcKqHBP5tSo7/KuUz
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.k.I.8.I.8.I.8.?t8.I.8.?A8.I.8.1L8.I.8.I.8.I.8.?u8.I.8.?E8.I.8.?B8.I.8Rich.I.8........................PE..L......]...........

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x40db72
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                      Time Stamp:0x5DB2FEEC [Fri Oct 25 13:55:56 2019 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:ad727357155f2158504db1cb9482d9b1

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007F34EC36C40Dh
                                                                                      jmp 00007F34EC36AF6Eh
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                      mov eax, dword ptr [eax]
                                                                                      cmp dword ptr [eax], E06D7363h
                                                                                      jne 00007F34EC36B10Ch
                                                                                      cmp dword ptr [eax+10h], 03h
                                                                                      jne 00007F34EC36B106h
                                                                                      mov eax, dword ptr [eax+14h]
                                                                                      cmp eax, 19930520h
                                                                                      je 00007F34EC36B0F7h
                                                                                      cmp eax, 19930521h
                                                                                      je 00007F34EC36B0F0h
                                                                                      cmp eax, 19930522h
                                                                                      je 00007F34EC36B0E9h
                                                                                      cmp eax, 01994000h
                                                                                      jne 00007F34EC36B0E7h
                                                                                      call 00007F34EC36C467h
                                                                                      xor eax, eax
                                                                                      pop ebp
                                                                                      retn 0004h
                                                                                      push 0040DB7Ch
                                                                                      call dword ptr [00412098h]
                                                                                      xor eax, eax
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 0041240Ch
                                                                                      call dword ptr [004120A0h]
                                                                                      test eax, eax
                                                                                      je 00007F34EC36B0F7h
                                                                                      push 004123FCh
                                                                                      push eax
                                                                                      call dword ptr [0041209Ch]
                                                                                      test eax, eax
                                                                                      je 00007F34EC36B0E7h
                                                                                      push dword ptr [ebp+08h]
                                                                                      call eax
                                                                                      pop ebp
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F34EC36B0ADh
                                                                                      pop ecx
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [004120A4h]
                                                                                      int3
                                                                                      push 00000008h
                                                                                      call 00007F34EC36C5CDh
                                                                                      pop ecx
                                                                                      ret
                                                                                      push 00000008h
                                                                                      call 00007F34EC36C4EBh
                                                                                      pop ecx
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push esi
                                                                                      call 00007F34EC36BCDAh
                                                                                      mov esi, eax
                                                                                      push esi
                                                                                      call 00007F34EC36C9A2h
                                                                                      push esi
                                                                                      call 00007F34EC36C802h
                                                                                      push esi
                                                                                      call 00007F34EC36B0EDh

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [LNK] VS2010 build 30319
                                                                                      • [ASM] VS2010 build 30319
                                                                                      • [ C ] VS2010 build 30319
                                                                                      • [C++] VS2010 build 30319
                                                                                      • [RES] VS2010 build 30319
                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x13cdc0x50.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x310.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x190000x14bc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13ae00x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x120000x168.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x10c420x10e00False0.49955150463data6.21379336576IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x120000x251a0x2600False0.343544407895data4.92885915543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x150000x24000x1600False0.297940340909PGP\011Secret Sub-key -4.02678593401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x180000x3100x400False0.3740234375data2.65405558594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x190000x169c0x1800False0.7255859375data6.32911431671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0x180600x2b0dataEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      MSACM32.dllXRegThunkEntry, acmFormatTagDetailsA, acmStreamReset, acmStreamUnprepareHeader, acmDriverClose, acmFormatDetailsW, acmStreamConvert, acmGetVersion, acmStreamOpen, acmFormatEnumW, acmDriverEnum, acmStreamClose, acmFormatDetailsA, acmDriverID, acmFilterTagDetailsW, acmDriverRemove
                                                                                      GLU32.dllgluLookAt, gluBeginTrim, gluNewNurbsRenderer, gluTessBeginContour, gluBeginCurve, gluNurbsCurve, gluLoadSamplingMatrices, gluBuild2DMipmaps, gluPartialDisk, gluQuadricNormals, gluBeginPolygon, gluEndCurve, gluTessEndPolygon, gluQuadricOrientation, gluDeleteQuadric, gluGetTessProperty, gluTessNormal
                                                                                      KERNEL32.dllGetCurrentProcess, HeapFree, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, WideCharToMultiByte, HeapSize, HeapAlloc, HeapReAlloc, IsProcessorFeaturePresent, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetHandleCount, GetCommandLineW, HeapSetInformation, GetStartupInfoW, SetUnhandledExceptionFilter, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyrightCopyright (C) Street 2019
                                                                                      InternalNamecopastors.exe
                                                                                      FileVersion8.5.5.2
                                                                                      CompanyNameamrit
                                                                                      ProductNamevanes
                                                                                      ProductVersion3.3.0.6
                                                                                      FileDescriptionrocketlike
                                                                                      OriginalFilenamepursuit's.exe
                                                                                      Translation0x0409 0x04b0

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 22, 2021 16:37:41.265849113 CET497376735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:41.351079941 CET67354973779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:41.861848116 CET497376735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:41.946278095 CET67354973779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:42.454593897 CET497376735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:42.537456036 CET67354973779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:46.675965071 CET497386735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:46.759013891 CET67354973879.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:47.267448902 CET497386735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:47.351768970 CET67354973879.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:47.861155033 CET497386735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:47.943890095 CET67354973879.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:51.958003998 CET497396735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:52.040967941 CET67354973979.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:52.549143076 CET497396735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:52.634360075 CET67354973979.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:53.142852068 CET497396735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:37:53.227966070 CET67354973979.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:37:57.823545933 CET497416735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:37:57.910815954 CET67354974179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:37:58.424524069 CET497416735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:37:58.510298014 CET67354974179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:37:59.018342972 CET497416735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:37:59.104568005 CET67354974179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:04.832668066 CET497436735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:04.915301085 CET67354974379.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:05.425388098 CET497436735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:05.508040905 CET67354974379.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:06.019125938 CET497436735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:06.103596926 CET67354974379.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:10.680164099 CET497446735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:10.765731096 CET67354974479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:11.269349098 CET497446735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:11.356842041 CET67354974479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:11.863219976 CET497446735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:11.959744930 CET67354974479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:15.975316048 CET497456735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:16.061193943 CET67354974579.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:16.566814899 CET497456735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:16.650237083 CET67354974579.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:17.160432100 CET497456735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:17.243114948 CET67354974579.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:21.257806063 CET497466735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:21.342331886 CET67354974679.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:21.848464966 CET497466735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:21.931258917 CET67354974679.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:22.442207098 CET497466735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:22.524801016 CET67354974679.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:27.659423113 CET497476735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:27.744829893 CET67354974779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:28.255315065 CET497476735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:28.343302965 CET67354974779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:28.848983049 CET497476735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:28.933620930 CET67354974779.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:33.255836010 CET497486735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:33.338984966 CET67354974879.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:33.849450111 CET497486735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:33.943784952 CET67354974879.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:34.458800077 CET497486735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:34.541537046 CET67354974879.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:39.982991934 CET497516735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:40.065711021 CET67354975179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:40.569189072 CET497516735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:40.652091980 CET67354975179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:41.157509089 CET497516735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:41.240215063 CET67354975179.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:45.705579996 CET497606735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:45.790061951 CET67354976079.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:46.299804926 CET497606735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:46.384030104 CET67354976079.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:46.893640041 CET497606735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:38:46.976705074 CET67354976079.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:38:50.990186930 CET497616735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:51.077205896 CET67354976179.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:51.582006931 CET497616735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:51.667587042 CET67354976179.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:52.175306082 CET497616735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:52.262377977 CET67354976179.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:56.272594929 CET497626735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:56.358114004 CET67354976279.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:56.863210917 CET497626735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:56.953525066 CET67354976279.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:38:57.457262039 CET497626735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:38:57.544751883 CET67354976279.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:39:01.630726099 CET497636735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:39:01.713717937 CET67354976379.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:39:02.219719887 CET497636735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:39:02.305814028 CET67354976379.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:39:02.816864967 CET497636735192.168.2.379.134.225.110
                                                                                      Feb 22, 2021 16:39:02.899641991 CET67354976379.134.225.110192.168.2.3
                                                                                      Feb 22, 2021 16:39:07.174407005 CET497646735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:39:07.259198904 CET67354976479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:39:07.770442963 CET497646735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:39:07.856234074 CET67354976479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:39:08.364450932 CET497646735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:39:08.449368000 CET67354976479.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:39:12.829657078 CET497656735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:39:12.914236069 CET67354976579.134.225.122192.168.2.3
                                                                                      Feb 22, 2021 16:39:13.427114964 CET497656735192.168.2.379.134.225.122
                                                                                      Feb 22, 2021 16:39:13.513720036 CET67354976579.134.225.122192.168.2.3

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 22, 2021 16:35:44.134577990 CET5128153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:44.194158077 CET53512818.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:44.995738029 CET4919953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:45.057395935 CET53491998.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:45.070014000 CET5062053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:45.121330023 CET53506208.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:47.044949055 CET6493853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:47.098675966 CET53649388.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:47.841288090 CET6015253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:47.893359900 CET53601528.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:49.203057051 CET5754453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:49.260643005 CET53575448.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:50.388456106 CET5598453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:50.440010071 CET53559848.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:51.557723999 CET6418553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:51.606522083 CET53641858.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:52.813244104 CET6511053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:52.866415977 CET53651108.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:53.837300062 CET5836153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:53.885967970 CET53583618.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:54.702124119 CET6349253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:54.750946999 CET53634928.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:55.639770031 CET6083153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:55.691358089 CET53608318.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:56.572483063 CET6010053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:56.621201038 CET53601008.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:57.328089952 CET5319553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:57.376915932 CET53531958.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:58.478420973 CET5014153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:58.527216911 CET53501418.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:35:59.605261087 CET5302353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:35:59.655752897 CET53530238.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:00.384371996 CET4956353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:00.436095953 CET53495638.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:01.513987064 CET5135253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:01.565565109 CET53513528.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:02.318938017 CET5934953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:02.370206118 CET53593498.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:26.169513941 CET5708453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:26.229196072 CET53570848.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:39.877182007 CET5882353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:39.928191900 CET53588238.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:36:45.340117931 CET5756853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:36:45.390225887 CET53575688.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:02.755458117 CET5054053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:02.813621044 CET53505408.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:19.631803036 CET5436653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:19.705322981 CET53543668.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:25.851689100 CET5303453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:25.915015936 CET53530348.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:56.192703009 CET5776253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:56.244393110 CET53577628.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:57.741082907 CET5543553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:57.800082922 CET53554358.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:37:58.161919117 CET5071353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:37:58.236344099 CET53507138.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:03.483975887 CET5613253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:04.472764969 CET5613253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:04.830853939 CET53561328.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:10.613826036 CET5898753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:10.678647041 CET53589878.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:33.188601017 CET5657953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:33.254252911 CET53565798.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:38.848980904 CET6063353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:38.900855064 CET53606338.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:39.357125044 CET6129253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:39.416624069 CET53612928.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:39.923942089 CET6361953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:39.970954895 CET6493853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:39.981759071 CET53636198.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:40.031236887 CET53649388.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:40.407587051 CET6194653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:40.457740068 CET53619468.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:40.837980986 CET6491053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:40.897216082 CET53649108.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:41.366401911 CET5212353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:41.416395903 CET53521238.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:41.864088058 CET5613053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:41.924083948 CET53561308.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:42.492415905 CET5633853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:42.549807072 CET53563388.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:43.205632925 CET5942053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:43.256567001 CET53594208.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:43.648096085 CET5878453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:43.706830025 CET53587848.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:38:45.641515017 CET6397853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:38:45.703701973 CET53639788.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:07.114648104 CET6293853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:07.173084974 CET53629388.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:12.765547991 CET5570853192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:12.824115992 CET53557088.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:18.728935957 CET5680353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:18.785767078 CET53568038.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:40.300434113 CET5714553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:40.362126112 CET53571458.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:45.689848900 CET5535953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:45.747180939 CET53553598.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:39:51.113612890 CET5830653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:39:51.178608894 CET53583068.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:12.389492035 CET6412453192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:12.446680069 CET53641248.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:17.814945936 CET4936153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:17.878400087 CET53493618.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:23.220724106 CET6315053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:23.283564091 CET53631508.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:36.408612013 CET5327953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:36.468389034 CET53532798.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:36.919315100 CET5688153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:36.984726906 CET53568818.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:37.783770084 CET5364253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:37.836837053 CET53536428.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:38.307068110 CET5566753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:38.371927023 CET53556678.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:38.660815954 CET5483353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:38.747956991 CET53548338.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:46.330249071 CET6247653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:46.391926050 CET53624768.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:51.740901947 CET4970553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:51.799696922 CET53497058.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:40:57.151721001 CET6147753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:40:57.208571911 CET53614778.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:41:18.408799887 CET6163353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:41:18.465759993 CET53616338.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:41:23.823635101 CET5594953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:41:23.888911009 CET53559498.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:41:29.228153944 CET5760153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:41:29.287206888 CET53576018.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:41:50.490130901 CET4934253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:41:50.549242973 CET53493428.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:41:56.674190044 CET5625353192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:41:56.736052990 CET53562538.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:42:02.100918055 CET4966753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:42:02.159964085 CET53496678.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:42:25.759594917 CET5543953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:42:25.816840887 CET53554398.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:42:31.159904003 CET5706953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:42:31.221770048 CET53570698.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:42:36.591656923 CET5765953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:42:36.653882027 CET53576598.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:42:57.825150967 CET5471753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:42:57.885962963 CET53547178.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:03.303792000 CET6397553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:04.337645054 CET6397553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:04.396392107 CET53639758.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:09.741367102 CET5663953192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:09.798619986 CET53566398.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:27.663825035 CET5185653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:27.717261076 CET53518568.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:30.960230112 CET5654653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:31.021744967 CET53565468.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:38.770631075 CET6215253192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:38.829248905 CET53621528.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:44.189871073 CET5347053192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:44.248924017 CET53534708.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:43:57.884694099 CET5644653192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:43:57.952442884 CET53564468.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:44:05.433654070 CET5963153192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:44:05.492403984 CET53596318.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:44:10.846462965 CET5551553192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:44:10.898217916 CET53555158.8.8.8192.168.2.3
                                                                                      Feb 22, 2021 16:44:16.187978983 CET6454753192.168.2.38.8.8.8
                                                                                      Feb 22, 2021 16:44:16.248155117 CET53645478.8.8.8192.168.2.3

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Feb 22, 2021 16:37:57.741082907 CET192.168.2.38.8.8.80x3ac6Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:03.483975887 CET192.168.2.38.8.8.80x8c81Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:04.472764969 CET192.168.2.38.8.8.80x8c81Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:10.613826036 CET192.168.2.38.8.8.80x578Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:33.188601017 CET192.168.2.38.8.8.80x962aStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:39.923942089 CET192.168.2.38.8.8.80x2d71Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:45.641515017 CET192.168.2.38.8.8.80x9460Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:07.114648104 CET192.168.2.38.8.8.80x88caStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:12.765547991 CET192.168.2.38.8.8.80x1299Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:18.728935957 CET192.168.2.38.8.8.80x9b5dStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:40.300434113 CET192.168.2.38.8.8.80x1f50Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:45.689848900 CET192.168.2.38.8.8.80x7479Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:51.113612890 CET192.168.2.38.8.8.80x36bfStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:12.389492035 CET192.168.2.38.8.8.80x9d5cStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:17.814945936 CET192.168.2.38.8.8.80x181aStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:23.220724106 CET192.168.2.38.8.8.80x8ae3Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:46.330249071 CET192.168.2.38.8.8.80x302fStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:51.740901947 CET192.168.2.38.8.8.80x8df5Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:57.151721001 CET192.168.2.38.8.8.80x83e9Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:18.408799887 CET192.168.2.38.8.8.80x4d77Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:23.823635101 CET192.168.2.38.8.8.80x7e7cStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:29.228153944 CET192.168.2.38.8.8.80x965fStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:50.490130901 CET192.168.2.38.8.8.80x90eaStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:56.674190044 CET192.168.2.38.8.8.80x6374Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:02.100918055 CET192.168.2.38.8.8.80xff70Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:25.759594917 CET192.168.2.38.8.8.80x2b5cStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:31.159904003 CET192.168.2.38.8.8.80x8c0fStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:36.591656923 CET192.168.2.38.8.8.80x27ebStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:57.825150967 CET192.168.2.38.8.8.80xf454Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:03.303792000 CET192.168.2.38.8.8.80x6bb8Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:04.337645054 CET192.168.2.38.8.8.80x6bb8Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:09.741367102 CET192.168.2.38.8.8.80x7e7bStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:30.960230112 CET192.168.2.38.8.8.80xa7ffStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:38.770631075 CET192.168.2.38.8.8.80x96b7Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:44.189871073 CET192.168.2.38.8.8.80x96e7Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:05.433654070 CET192.168.2.38.8.8.80xf053Standard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:10.846462965 CET192.168.2.38.8.8.80xf92eStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:16.187978983 CET192.168.2.38.8.8.80x9a1eStandard query (0)abdul2u.ddns.netA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Feb 22, 2021 16:37:57.800082922 CET8.8.8.8192.168.2.30x3ac6No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:04.830853939 CET8.8.8.8192.168.2.30x8c81No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:10.678647041 CET8.8.8.8192.168.2.30x578No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:33.254252911 CET8.8.8.8192.168.2.30x962aNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:39.981759071 CET8.8.8.8192.168.2.30x2d71No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:38:45.703701973 CET8.8.8.8192.168.2.30x9460No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:07.173084974 CET8.8.8.8192.168.2.30x88caNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:12.824115992 CET8.8.8.8192.168.2.30x1299No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:18.785767078 CET8.8.8.8192.168.2.30x9b5dNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:40.362126112 CET8.8.8.8192.168.2.30x1f50No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:45.747180939 CET8.8.8.8192.168.2.30x7479No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:39:51.178608894 CET8.8.8.8192.168.2.30x36bfNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:12.446680069 CET8.8.8.8192.168.2.30x9d5cNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:17.878400087 CET8.8.8.8192.168.2.30x181aNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:23.283564091 CET8.8.8.8192.168.2.30x8ae3No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:36.468389034 CET8.8.8.8192.168.2.30x94c5No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:46.391926050 CET8.8.8.8192.168.2.30x302fNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:51.799696922 CET8.8.8.8192.168.2.30x8df5No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:40:57.208571911 CET8.8.8.8192.168.2.30x83e9No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:18.465759993 CET8.8.8.8192.168.2.30x4d77No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:23.888911009 CET8.8.8.8192.168.2.30x7e7cNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:29.287206888 CET8.8.8.8192.168.2.30x965fNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:50.549242973 CET8.8.8.8192.168.2.30x90eaNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:41:56.736052990 CET8.8.8.8192.168.2.30x6374No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:02.159964085 CET8.8.8.8192.168.2.30xff70No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:25.816840887 CET8.8.8.8192.168.2.30x2b5cNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:31.221770048 CET8.8.8.8192.168.2.30x8c0fNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:36.653882027 CET8.8.8.8192.168.2.30x27ebNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:42:57.885962963 CET8.8.8.8192.168.2.30xf454No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:04.396392107 CET8.8.8.8192.168.2.30x6bb8No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:09.798619986 CET8.8.8.8192.168.2.30x7e7bNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:31.021744967 CET8.8.8.8192.168.2.30xa7ffNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:38.829248905 CET8.8.8.8192.168.2.30x96b7No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:43:44.248924017 CET8.8.8.8192.168.2.30x96e7No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:05.492403984 CET8.8.8.8192.168.2.30xf053No error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:10.898217916 CET8.8.8.8192.168.2.30xf92eNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)
                                                                                      Feb 22, 2021 16:44:16.248155117 CET8.8.8.8192.168.2.30x9a1eNo error (0)abdul2u.ddns.net79.134.225.122A (IP address)IN (0x0001)

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:16:35:50
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Users\user\Desktop\document.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\document.exe'
                                                                                      Imagebase:0x280000
                                                                                      File size:320595 bytes
                                                                                      MD5 hash:A777EE74F09E40B1E32FF3007EB89D14
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.424237647.00000000017A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                      Reputation:low

                                                                                      General

                                                                                      Start time:16:37:35
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\document.exe'
                                                                                      Imagebase:0x850000
                                                                                      File size:53248 bytes
                                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:38
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp72B1.tmp'
                                                                                      Imagebase:0xb40000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:39
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:39
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp75FE.tmp'
                                                                                      Imagebase:0xb40000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:39
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
                                                                                      Imagebase:0x2e0000
                                                                                      File size:53248 bytes
                                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:40
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:40
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:42
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                      Imagebase:0xa60000
                                                                                      File size:53248 bytes
                                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                      • Detection: 0%, ReversingLabs
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:42
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:47
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                      Imagebase:0x9b0000
                                                                                      File size:53248 bytes
                                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:16:37:47
                                                                                      Start date:22/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >