Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report e92b274943f4a3a557881ee0dd57772d.exe

Overview

General Information

Sample Name:e92b274943f4a3a557881ee0dd57772d.exe
Analysis ID:356808
MD5:1f2b71c462d73dcdcc69a707a18c38d6
SHA1:98957c96b7c2dd066b6c5108f8ded53983427472
SHA256:c6e001729b8abc3d321756d6964e1a84148f19004f03606953ebba32081f4c75
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • e92b274943f4a3a557881ee0dd57772d.exe (PID: 5900 cmdline: 'C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • e92b274943f4a3a557881ee0dd57772d.exe (PID: 6108 cmdline: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
      • schtasks.exe (PID: 2336 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2880 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • dhcpmon.exe (PID: 6468 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
  • dhcpmon.exe (PID: 6720 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • dhcpmon.exe (PID: 7024 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • backgroundTaskHost.exe (PID: 7024 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 52 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            12.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              12.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfef5:$a: NanoCore
              • 0xff05:$a: NanoCore
              • 0x10139:$a: NanoCore
              • 0x1014d:$a: NanoCore
              • 0x1018d:$a: NanoCore
              • 0xff54:$b: ClientPlugin
              • 0x10156:$b: ClientPlugin
              • 0x10196:$b: ClientPlugin
              • 0x1007b:$c: ProjectData
              • 0x10a82:$d: DESCrypto
              • 0x1844e:$e: KeepAlive
              • 0x1643c:$g: LogClientMessage
              • 0x12637:$i: get_Connected
              • 0x10db8:$j: #=q
              • 0x10de8:$j: #=q
              • 0x10e04:$j: #=q
              • 0x10e34:$j: #=q
              • 0x10e50:$j: #=q
              • 0x10e6c:$j: #=q
              • 0x10e9c:$j: #=q
              • 0x10eb8:$j: #=q
              12.2.dhcpmon.exe.3c430dd.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xb184:$x1: NanoCore.ClientPluginHost
              • 0x241a0:$x1: NanoCore.ClientPluginHost
              • 0xb1b1:$x2: IClientNetworkHost
              • 0x241cd:$x2: IClientNetworkHost
              Click to see the 124 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ProcessId: 6108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentImage: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentProcessId: 6108, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', ProcessId: 2336

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 10%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE
              Source: 20.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.500217236.0000000000955000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.257690003.0000000006680000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.279859695.00000000066E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.281624150.0000000006B30000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.296987366.00000000077D0000.00000002.00000001.sdmp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: cloudhost.myfirewall.org
              Source: global trafficTCP traffic: 192.168.2.5:49717 -> 79.134.225.105:5654
              Source: Joe Sandbox ViewIP Address: 79.134.225.105 79.134.225.105
              Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
              Source: unknownDNS traffic detected: queries for: cloudhost.myfirewall.org
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: dhcpmon.exe, dhcpmon.exe, 0000000C.00000002.287680615.0000000000492000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000000.282951821.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.288641273.0000000000D42000.00000002.00020000.sdmp, e92b274943f4a3a557881ee0dd57772d.exeString found in binary or memory: http://qunect.com/download/QuNect.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exeString found in binary or memory: http://qunect.com/download/QuNect.exeMOperation
              Source: e92b274943f4a3a557881ee0dd57772d.exeString found in binary or memory: http://validator.w3.org/check?uri=referer
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.240286022.0000000005029000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersg#
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.250488584.0000000005020000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.250488584.0000000005020000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasva04x
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233921994.000000000503B000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233865303.000000000503B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235685065.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/i
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235491079.000000000505D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235501924.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235491079.000000000505D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-h
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-4
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/04x
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T4$
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c4
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j4
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233760280.000000000503B000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233717864.000000000503E000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comporH
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.234803629.0000000005029000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krnta
              Source: dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.251261755.0000000000B3B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 12.2.dhcpmon.exe.2c13ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.2ad1338.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f13acc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f01794.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 20.2.dhcpmon.exe.3413ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 20.2.dhcpmon.exe.34017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 12.2.dhcpmon.exe.2c017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              .NET source code contains very large stringsShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exe, frmRazor.csLong String: Length: 13656
              Source: 0.0.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: dhcpmon.exe.2.dr, frmRazor.csLong String: Length: 13656
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.1.unpack, frmRazor.csLong String: Length: 13656
              Source: 2.0.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 9.0.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 10.0.dhcpmon.exe.d10000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 10.2.dhcpmon.exe.d10000.0.unpack, frmRazor.csLong String: Length: 13656
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.850000.1.unpack, frmRazor.csLong String: Length: 13656
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE65A8
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE3A30
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE67B0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE74B0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE6599
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE8D56
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE52FF
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE7268
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE7266
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE3A2B
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE5308
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00D07AC1
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C03A30
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C067B0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C065A8
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C07347
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C05308
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C0749F
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C074B0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C08D60
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_030467B0
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03043A30
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_030465A8
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03045308
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_030467A3
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03043A20
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03047267
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03047268
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_030452F7
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03048D56
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0304659B
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0304749F
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_030474B0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 11_2_05092FA8
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 11_2_050923A0
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 11_2_0509306F
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02782FA8
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_027823A0
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0278306F
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000000.232516682.0000000000536000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFilters.exe< vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.259065727.0000000006840000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.251261755.0000000000B3B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.257690003.0000000006680000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.504705166.0000000002AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.500021122.0000000000516000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFilters.exe< vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000000.260411701.0000000000936000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFilters.exe< vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.279859695.00000000066E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.280111887.0000000006880000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.287796822.00000000008C6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFilters.exe< vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.291214663.00000000051A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exeBinary or memory string: OriginalFilenameFilters.exe< vs e92b274943f4a3a557881ee0dd57772d.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 12.2.dhcpmon.exe.2c13ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.2c13ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.2ad1338.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.2ad1338.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f13acc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f13acc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f01794.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f01794.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 20.2.dhcpmon.exe.3413ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.3413ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.dhcpmon.exe.34017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 20.2.dhcpmon.exe.34017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 12.2.dhcpmon.exe.2c017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.2c017ac.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: e92b274943f4a3a557881ee0dd57772d.exe, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 0.0.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: dhcpmon.exe.2.dr, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.1.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 2.0.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 9.0.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 10.0.dhcpmon.exe.d10000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 10.2.dhcpmon.exe.d10000.0.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.850000.1.unpack, frmRazor.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: classification engineClassification label: mal100.troj.evad.winEXE@19/8@22/2
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e92b274943f4a3a557881ee0dd57772d.exe.logJump to behavior
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_01
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d1470c94-c693-4be3-b7c3-884d57fb2b86}
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile created: C:\Users\user\AppData\Local\Temp\tmp22EF.tmpJump to behavior
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile read: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe 'C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe 0
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Source: unknownProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: unknownProcess created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp'
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp'
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.500217236.0000000000955000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.257690003.0000000006680000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.279859695.00000000066E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.281624150.0000000006B30000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.296987366.00000000077D0000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.4c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: dhcpmon.exe.2.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.e92b274943f4a3a557881ee0dd57772d.exe.4a0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.0.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.8c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.0.dhcpmon.exe.d10000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.2.dhcpmon.exe.d10000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.850000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_00B02CE2 push cs; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_00B02C59 push es; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_00B02C88 push cs; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_00B166EA pushad ; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_00B17313 push eax; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE48A8 push edi; retf 0004h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE8829 push edi; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CEB152 push es; iretd
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CEB685 pushfd ; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE3A20 push edx; retf 0004h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 0_2_04CE0398 pushfd ; retf 0004h
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00CF2A44 pushad ; iretd
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00CF2840 push CC720541h; iretd
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00CF2BEC push cs; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00CF27FC push CC720541h; iretd
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00CF2BBD push cs; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00D074B8 push ebp; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00D074AC push ecx; ret
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00D09D74 push eax; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 2_2_00D09D78 pushad ; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C0B685 pushfd ; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C08829 push edi; retf
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeCode function: 9_2_02C0B152 push es; iretd
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01572C94 push cs; ret
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01572C65 push es; ret
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01572CEE push cs; ret
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0158731C push eax; ret
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_015866E6 pushad ; ret
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0304B685 pushfd ; retf
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0304B152 push es; iretd
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_03048829 push edi; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.64910376893
              Source: initial sampleStatic PE information: section name: .text entropy: 7.64910376893
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile opened: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252271147.0000000002BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.292697027.0000000002A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.275574869.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6200, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6296, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6720, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 5900, type: MEMORY
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.2fc3ed0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.33c3ed0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.2a141d0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.2bb41d0.1.raw.unpack, type: UNPACKEDPE
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeWindow / User API: foregroundWindowGot 907
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 5976Thread sleep time: -100188s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 5724Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 5904Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 4644Thread sleep time: -200000s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 6204Thread sleep time: -104756s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 6316Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6300Thread sleep time: -104946s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6336Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe TID: 6516Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6548Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6724Thread sleep time: -99836s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6828Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7072Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeMemory written: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeMemory written: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe base: 400000 value starts with: 4D5A
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp'
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp'
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeProcess created: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.506318465.0000000002C3A000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.505259041.0000000002B4E000.00000004.00000001.sdmpBinary or memory string: Program Manager
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.502322679.0000000001230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.502322679.0000000001230000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.502322679.0000000001230000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.502322679.0000000001230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.502322679.0000000001230000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected Nanocore RatShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.504705166.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.504705166.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: e92b274943f4a3a557881ee0dd57772d.exe, 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exe, 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exe, 00000014.00000002.310328502.0000000003410000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000014.00000002.310328502.0000000003410000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information31DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356808 Sample: e92b274943f4a3a557881ee0dd5... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 47 cloudhost.myfirewall.org 2->47 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 10 other signatures 2->59 9 e92b274943f4a3a557881ee0dd57772d.exe 3 2->9         started        12 dhcpmon.exe 2 2->12         started        14 e92b274943f4a3a557881ee0dd57772d.exe 2 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 signatures5 63 Injects a PE file into a foreign processes 9->63 18 e92b274943f4a3a557881ee0dd57772d.exe 1 14 9->18         started        23 dhcpmon.exe 12->23         started        25 backgroundTaskHost.exe 12->25         started        27 e92b274943f4a3a557881ee0dd57772d.exe 2 14->27         started        29 dhcpmon.exe 2 16->29         started        process6 dnsIp7 49 cloudhost.myfirewall.org 79.134.225.105, 49717, 49720, 49721 FINK-TELECOM-SERVICESCH Switzerland 18->49 51 192.168.2.1 unknown unknown 18->51 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp22EF.tmp, XML 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe10%ReversingLabsWin32.Trojan.AgentTesla

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              20.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

              Domains

              SourceDetectionScannerLabelLink
              cloudhost.myfirewall.org1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              cloudhost.myfirewall.org1%VirustotalBrowse
              cloudhost.myfirewall.org0%Avira URL Cloudsafe
              http://qunect.com/download/QuNect.exe0%VirustotalBrowse
              http://qunect.com/download/QuNect.exe0%Avira URL Cloudsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/j40%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/a-e0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/O0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/04x0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnU0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/-40%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn00%Avira URL Cloudsafe
              http://www.sajatypeworks.comporH0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/c40%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.founder.com.cn/cn/i0%Avira URL Cloudsafe
              http://www.sandoll.co.krnta0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://qunect.com/download/QuNect.exeMOperation0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnu-h0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.fonts.comx0%Avira URL Cloudsafe
              http://www.fontbureau.comasva04x0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/T4$0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cloudhost.myfirewall.org
              		79.134.225.105
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              cloudhost.myfirewall.orgtrue
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.come92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                    		high
                    http://qunect.com/download/QuNect.exedhcpmon.exe, dhcpmon.exe, 0000000C.00000002.287680615.0000000000492000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000000.282951821.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.288641273.0000000000D42000.00000002.00020000.sdmp, e92b274943f4a3a557881ee0dd57772d.exefalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comFe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.250488584.0000000005020000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThee92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/j4e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/a-ee92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers?e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/Oe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/04xe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnUe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235501924.0000000005024000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comdhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersdhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                          		high
                          http://www.goodfont.co.kre92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csse92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comle92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.come92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233760280.000000000503B000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/-4e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.typography.netDe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThee92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htme92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.come92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cne92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn0e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235491079.000000000505D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmle92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sajatypeworks.comporHe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233717864.000000000503E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/c4e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasee92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://validator.w3.org/check?uri=referere92b274943f4a3a557881ee0dd57772d.exefalse
                                  		high
                                  http://www.fontbureau.com/designers8e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersg#e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.240286022.0000000005029000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/ie92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235685065.0000000005024000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sandoll.co.krntae92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.234803629.0000000005029000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fonts.come92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233921994.000000000503B000.00000004.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.kre92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleasee92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cne92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://qunect.com/download/QuNect.exeMOperatione92b274943f4a3a557881ee0dd57772d.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnu-he92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.235491079.000000000505D000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sakkal.come92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.255551391.0000000005110000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.278284760.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.279293564.00000000059E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.294768587.0000000004F30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comxe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.233865303.000000000503B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comasva04xe92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.250488584.0000000005020000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/T4$e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000003.237262965.0000000005024000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        79.134.225.105
                                        		unknownSwitzerland
                                        		6775FINK-TELECOM-SERVICESCHtrue

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:356808
                                        Start date:23.02.2021
                                        Start time:17:06:18
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 13m 52s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:e92b274943f4a3a557881ee0dd57772d.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:32
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@19/8@22/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 1.7% (good quality ratio 1.4%)
                                        • Quality average: 46.2%
                                        • Quality standard deviation: 25.9%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • TCP Packets have been reduced to 100
                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 51.103.5.186, 13.64.90.137, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.11.168.160, 168.61.161.212, 23.211.6.115, 40.88.32.150, 104.42.151.234, 184.30.24.56, 51.103.5.159, 51.104.139.180, 92.122.213.247, 92.122.213.194, 20.54.26.129, 84.53.167.113
                                        • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:07:17API Interceptor913x Sleep call for process: e92b274943f4a3a557881ee0dd57772d.exe modified
                                        17:07:23Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe" s>$(Arg0)
                                        17:07:23Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                        17:07:25AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        17:07:26API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        79.134.225.1055293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                          f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                            256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                              d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                                73a4f40d0affe5eea89174f8917bba73.exeGet hashmaliciousBrowse
                                                  9a08c8a2b49d6348f2ef35f85a1c6351.exeGet hashmaliciousBrowse
                                                    7eec14e7cec4dc93fbf53e08998b2340.exeGet hashmaliciousBrowse
                                                      f2a22415c1b108ce91fd76e3320431d0.exeGet hashmaliciousBrowse
                                                        1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                          1464bbe24dac1f403f15b3c3860f37ca.exeGet hashmaliciousBrowse
                                                            1d78424ce6944359d546dbcbc030f19e.exeGet hashmaliciousBrowse
                                                              84ab43f7eda35ae038b199d3a3586b77.exeGet hashmaliciousBrowse
                                                                Require_Quote_20200128 SSG.pdf ind.exeGet hashmaliciousBrowse
                                                                  DHL FILE 987634732.exeGet hashmaliciousBrowse
                                                                    file.exeGet hashmaliciousBrowse
                                                                      NKF20205 LIST.exeGet hashmaliciousBrowse
                                                                        URGENT PO.exeGet hashmaliciousBrowse
                                                                          scan002947779488.exeGet hashmaliciousBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            cloudhost.myfirewall.org256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            9a08c8a2b49d6348f2ef35f85a1c6351.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            zSDBuG8gDl.exeGet hashmaliciousBrowse
                                                                            • 185.229.243.67
                                                                            65d1beae1fc7eb126cd4a9b277afb942.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            f2a22415c1b108ce91fd76e3320431d0.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            5134b758f8eb77424254ce67f4697ffe.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            460f7e6048ed3ca91f1573a7410fedd6.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            1d78424ce6944359d546dbcbc030f19e.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            FINK-TELECOM-SERVICESCHWxTm2cWLHF.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.71
                                                                            Payment Confirmation.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.30
                                                                            rjHlt1zz28.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.49
                                                                            Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                                                            • 79.134.225.49
                                                                            document.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.122
                                                                            5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            JOIN.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.30
                                                                            Delivery pdf.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.25
                                                                            d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.105
                                                                            fnfqzfwC44.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.25
                                                                            Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            Nrfgylra.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.96
                                                                            HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.62
                                                                            HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.62
                                                                            HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.62
                                                                            Form pdf.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.25
                                                                            Quotation 3342688.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.120
                                                                            REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                            • 79.134.225.76

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):475648
                                                                            Entropy (8bit):7.633075553718302
                                                                            Encrypted:false
                                                                            SSDEEP:12288:KDWVp7lNYUvq2gFgkeu0cNOYVAKe7dE9jGEiuk:KiV57Yr99eu0cN3VC7vEil
                                                                            MD5:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            SHA1:98957C96B7C2DD066B6C5108F8DED53983427472
                                                                            SHA-256:C6E001729B8ABC3D321756D6964E1A84148F19004F03606953EBBA32081F4C75
                                                                            SHA-512:EE9033D27B384894BC73BFC9AB21ECE48D3FF9CE858A99C29B10F9F687DE0201AFBD238B6141ABC6D44775979AC368D4E843B8F78B910751F187F87F2857C8F8
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 10%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P..,...........K... ...`....@.. ....................................@.................................hK..O....`............................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............@..............@..B.................K......H...........?......n........R...........................................0............(....(..........(.....o.....*.....................(.......( ......(!......("......(#....*N..(....og...($....*&..(%....*.s&........s'........s(........s)........s*........*....0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+..*.0......
                                                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):525
                                                                            Entropy (8bit):5.2874233355119316
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                            MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                            SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                            SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                            SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e92b274943f4a3a557881ee0dd57772d.exe.log
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):525
                                                                            Entropy (8bit):5.2874233355119316
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                            MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                            SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                            SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                            SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Temp\tmp22EF.tmp
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1323
                                                                            Entropy (8bit):5.1600199834185245
                                                                            Encrypted:false
                                                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Pmxtn:cbk4oL600QydbQxIYODOLedq3Smj
                                                                            MD5:A2656079C3A26D530BF27B9B65082EB8
                                                                            SHA1:8B4B44848C52291110A41283EACEE9922B6B5DD2
                                                                            SHA-256:3CE09B678463F0BB81EF3CC3DD814BC99937D3F9D2203CE3CAAB188D5FAD603E
                                                                            SHA-512:20B281B387315EDF7624B37906DC74B9016FF2C41C6612C373C33F6C97076A6B78A532FED66A078BF99E5FD64346119038EBAD0AD4AB2FB1B1EC5F27E7B31E45
                                                                            Malicious:true
                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                            C:\Users\user\AppData\Local\Temp\tmp266B.tmp
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):1310
                                                                            Entropy (8bit):5.109425792877704
                                                                            Encrypted:false
                                                                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                            Malicious:false
                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.75
                                                                            Encrypted:false
                                                                            SSDEEP:3:a1ft:a/
                                                                            MD5:27205FFD95E8C21E294722F6C7C90F87
                                                                            SHA1:AE76805E7334FDB1C3D0AD94DE3E37BF98732DE4
                                                                            SHA-256:B3FAE43AD48058B592FCE99E646420CECCBF1F62296B6571A51BFD9102EA059B
                                                                            SHA-512:1B10F5AAD92C94689BCA4C13D9455DBD4E33E38225A1FCC32E2BB9BCECA4B8C61518F8C14A0782E522F862B291A4CE3970117E9813F705E9D5DB62AD8B12B876
                                                                            Malicious:true
                                                                            Preview: ./.`..H
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                            Process:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.556297888280896
                                                                            Encrypted:false
                                                                            SSDEEP:3:oNUWJRWAii2FS8lVyILN:oNNJAAiHFnl7
                                                                            MD5:3597821A0D92E1F7F1C2EE61421DE72B
                                                                            SHA1:D15AB9D668CE9589CABF2B508791D845EA04C68C
                                                                            SHA-256:D881E5C2A38DC4DBE74A711776BD7EB83E777593FEACAAA8BEED9A9520256CFC
                                                                            SHA-512:1FDC4AE5A9E2FC2BF6A48D5D6AB09933F796E567E362E965C83888301FDC80CF53570D008ED2157CC462749E832411A3030E319B015AA135836445B80F581118
                                                                            Malicious:false
                                                                            Preview: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.633075553718302
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:e92b274943f4a3a557881ee0dd57772d.exe
                                                                            File size:475648
                                                                            MD5:1f2b71c462d73dcdcc69a707a18c38d6
                                                                            SHA1:98957c96b7c2dd066b6c5108f8ded53983427472
                                                                            SHA256:c6e001729b8abc3d321756d6964e1a84148f19004f03606953ebba32081f4c75
                                                                            SHA512:ee9033d27b384894bc73bfc9ab21ece48d3ff9ce858a99c29b10f9f687de0201afbd238b6141abc6d44775979ac368d4e843b8f78b910751f187f87f2857c8f8
                                                                            SSDEEP:12288:KDWVp7lNYUvq2gFgkeu0cNOYVAKe7dE9jGEiuk:KiV57Yr99eu0cN3VC7vEil
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P..,...........K... ...`....@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x474bba
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x6034EC9E [Tue Feb 23 11:53:02 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v2.0.50727
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74b680x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x10fc.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x72bc00x72c00False0.835452410131data7.64910376893IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x760000x10fc0x1200False0.377387152778data4.91259584588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x760900x32edata
                                                                            RT_MANIFEST0x763d00xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2013
                                                                            Assembly Version1.0.0.23
                                                                            InternalNameFilters.exe
                                                                            FileVersion1.0.0.23
                                                                            CompanyName
                                                                            LegalTrademarks
                                                                            Comments
                                                                            ProductNameQuNectRestore
                                                                            ProductVersion1.0.0.23
                                                                            FileDescriptionQuNectRestore
                                                                            OriginalFilenameFilters.exe

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Feb 23, 2021 17:07:24.317401886 CET497175654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:24.402925968 CET56544971779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:25.006032944 CET497175654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:25.170547009 CET56544971779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:25.802982092 CET497175654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:25.890747070 CET56544971779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:30.196755886 CET497205654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:30.279649019 CET56544972079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:30.803371906 CET497205654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:30.888102055 CET56544972079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:31.506556988 CET497205654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:31.591274977 CET56544972079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:35.747231960 CET497215654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:35.831572056 CET56544972179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:36.506983995 CET497215654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:36.589525938 CET56544972179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:37.194564104 CET497215654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:37.279087067 CET56544972179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:41.383832932 CET497245654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:41.467339039 CET56544972479.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:42.007436991 CET497245654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:42.091211081 CET56544972479.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:42.695390940 CET497245654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:42.777978897 CET56544972479.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:47.502105951 CET497255654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:47.587483883 CET56544972579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:48.195631027 CET497255654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:48.280992031 CET56544972579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:48.804977894 CET497255654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:48.903510094 CET56544972579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:53.099952936 CET497265654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:53.185305119 CET56544972679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:53.696875095 CET497265654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:53.782341957 CET56544972679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:54.305444002 CET497265654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:54.390938044 CET56544972679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:58.496613026 CET497285654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:58.579344988 CET56544972879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:59.086997986 CET497285654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:59.172306061 CET56544972879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:07:59.680921078 CET497285654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:07:59.765491009 CET56544972879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:04.214276075 CET497315654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:04.297036886 CET56544973179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:04.806471109 CET497315654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:04.892066956 CET56544973179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:05.477663040 CET497315654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:05.562105894 CET56544973179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:09.662631035 CET497325654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:09.748166084 CET56544973279.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:10.362611055 CET497325654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:10.450221062 CET56544973279.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:11.009932041 CET497325654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:11.095531940 CET56544973279.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:15.200858116 CET497355654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:15.285886049 CET56544973579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:15.900957108 CET497355654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:15.983403921 CET56544973579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:16.510380030 CET497355654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:16.592907906 CET56544973579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:20.703866005 CET497365654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:20.791032076 CET56544973679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:21.401786089 CET497365654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:21.488744020 CET56544973679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:22.010874033 CET497365654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:22.096328974 CET56544973679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:26.488413095 CET497375654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:26.570949078 CET56544973779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:27.214370966 CET497375654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:27.298923969 CET56544973779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:27.882488012 CET497375654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:27.967346907 CET56544973779.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:32.081837893 CET497385654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:32.167021036 CET56544973879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:32.709744930 CET497385654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:32.794991016 CET56544973879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:33.308701992 CET497385654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:33.393233061 CET56544973879.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:37.513951063 CET497405654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:37.599510908 CET56544974079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:38.105928898 CET497405654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:38.193403006 CET56544974079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:38.699738026 CET497405654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:38.786367893 CET56544974079.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:42.932596922 CET497415654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:43.016801119 CET56544974179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:43.528386116 CET497415654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:43.610882998 CET56544974179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:44.122071981 CET497415654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:44.204689026 CET56544974179.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:48.332449913 CET497455654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:48.425596952 CET56544974579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:48.935069084 CET497455654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:49.022025108 CET56544974579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:49.528836966 CET497455654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:49.619158983 CET56544974579.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:53.743664026 CET497465654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:53.830708981 CET56544974679.134.225.105192.168.2.5
                                                                            Feb 23, 2021 17:08:54.341633081 CET497465654192.168.2.579.134.225.105
                                                                            Feb 23, 2021 17:08:54.424118042 CET56544974679.134.225.105192.168.2.5

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Feb 23, 2021 17:07:01.966917992 CET5221253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:02.010678053 CET53527048.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:02.019895077 CET53522128.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:02.493860006 CET5430253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:02.544358969 CET53543028.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:02.673930883 CET5378453192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:02.731071949 CET53537848.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:03.031584978 CET6530753192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:03.083000898 CET53653078.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:03.093507051 CET6434453192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:03.142283916 CET53643448.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:03.245066881 CET6206053192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:03.296475887 CET53620608.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:04.191267967 CET6180553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:04.243364096 CET53618058.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:05.222963095 CET5479553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:05.272953033 CET53547958.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:06.924113989 CET4955753192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:06.973278046 CET53495578.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:07.422972918 CET6173353192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:07.481489897 CET53617338.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:08.339463949 CET6544753192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:08.390849113 CET53654478.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:09.774693966 CET5244153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:09.831759930 CET53524418.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:10.627614021 CET6217653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:10.684992075 CET53621768.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:11.850918055 CET5959653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:11.902892113 CET53595968.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:14.212620974 CET6529653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:14.264101982 CET53652968.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:15.498347998 CET6318353192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:15.547302961 CET53631838.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:16.382819891 CET6015153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:16.436593056 CET53601518.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:23.839442015 CET5696953192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:23.905378103 CET53569698.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:27.270549059 CET5516153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:27.335716963 CET53551618.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:30.128424883 CET5475753192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:30.195499897 CET53547578.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:35.678299904 CET4999253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:35.744441986 CET53499928.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:39.990731955 CET6007553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:40.041691065 CET53600758.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:41.318376064 CET5501653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:41.382150888 CET53550168.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:47.434134007 CET6434553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:47.496967077 CET53643458.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:53.038328886 CET5712853192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:53.097796917 CET53571288.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:57.724330902 CET5479153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:57.775765896 CET53547918.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:07:58.442466021 CET5046353192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:07:58.494002104 CET53504638.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:00.102087975 CET5039453192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:00.154416084 CET53503948.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:04.155479908 CET5853053192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:04.213018894 CET53585308.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:09.601368904 CET5381353192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:09.661525011 CET53538138.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:11.137090921 CET6373253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:11.195926905 CET53637328.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:15.129806995 CET5734453192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:15.187225103 CET53573448.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:20.635152102 CET5445053192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:20.699871063 CET53544508.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:26.388084888 CET5926153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:26.483036041 CET53592618.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:32.018039942 CET5715153192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:32.080794096 CET53571518.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:32.346096992 CET5941353192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:32.414536953 CET53594138.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:37.451399088 CET6051653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:37.508657932 CET53605168.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:42.865860939 CET5164953192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:42.930672884 CET53516498.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:43.815403938 CET6508653192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:43.876554012 CET53650868.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:45.763406992 CET5643253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:45.815440893 CET53564328.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:47.436276913 CET5292953192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:47.493521929 CET53529298.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:48.270625114 CET6431753192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:48.329891920 CET53643178.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:53.683684111 CET6100453192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:53.740900993 CET53610048.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:08:59.079591990 CET5689553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:08:59.144479036 CET53568958.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:09:04.518706083 CET6237253192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:09:04.586355925 CET53623728.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:09:10.028256893 CET6151553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:09:10.088375092 CET53615158.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:09:15.767822981 CET5667553192.168.2.58.8.8.8
                                                                            Feb 23, 2021 17:09:15.830482006 CET53566758.8.8.8192.168.2.5
                                                                            Feb 23, 2021 17:09:21.130548954 CET5717253192.168.2.58.8.8.8

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Feb 23, 2021 17:07:23.839442015 CET192.168.2.58.8.8.80xb8c3Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:30.128424883 CET192.168.2.58.8.8.80xc4f5Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:35.678299904 CET192.168.2.58.8.8.80xa15bStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:41.318376064 CET192.168.2.58.8.8.80x9c0aStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:47.434134007 CET192.168.2.58.8.8.80xce56Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:53.038328886 CET192.168.2.58.8.8.80x7248Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:58.442466021 CET192.168.2.58.8.8.80x8b2Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:04.155479908 CET192.168.2.58.8.8.80x7c47Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:09.601368904 CET192.168.2.58.8.8.80xa2ddStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:15.129806995 CET192.168.2.58.8.8.80x1d5dStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:20.635152102 CET192.168.2.58.8.8.80x5eeeStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:26.388084888 CET192.168.2.58.8.8.80xbd45Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:32.018039942 CET192.168.2.58.8.8.80x965aStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:37.451399088 CET192.168.2.58.8.8.80xd55eStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:42.865860939 CET192.168.2.58.8.8.80x8c7Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:48.270625114 CET192.168.2.58.8.8.80x26f9Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:53.683684111 CET192.168.2.58.8.8.80x9280Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:59.079591990 CET192.168.2.58.8.8.80xee40Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:04.518706083 CET192.168.2.58.8.8.80xd1c9Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:10.028256893 CET192.168.2.58.8.8.80x6e8aStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:15.767822981 CET192.168.2.58.8.8.80xdc2bStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:21.130548954 CET192.168.2.58.8.8.80xd499Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Feb 23, 2021 17:07:23.905378103 CET8.8.8.8192.168.2.50xb8c3No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:30.195499897 CET8.8.8.8192.168.2.50xc4f5No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:35.744441986 CET8.8.8.8192.168.2.50xa15bNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:41.382150888 CET8.8.8.8192.168.2.50x9c0aNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:47.496967077 CET8.8.8.8192.168.2.50xce56No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:53.097796917 CET8.8.8.8192.168.2.50x7248No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:07:58.494002104 CET8.8.8.8192.168.2.50x8b2No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:04.213018894 CET8.8.8.8192.168.2.50x7c47No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:09.661525011 CET8.8.8.8192.168.2.50xa2ddNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:15.187225103 CET8.8.8.8192.168.2.50x1d5dNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:20.699871063 CET8.8.8.8192.168.2.50x5eeeNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:26.483036041 CET8.8.8.8192.168.2.50xbd45No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:32.080794096 CET8.8.8.8192.168.2.50x965aNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:37.508657932 CET8.8.8.8192.168.2.50xd55eNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:42.930672884 CET8.8.8.8192.168.2.50x8c7No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:48.329891920 CET8.8.8.8192.168.2.50x26f9No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:53.740900993 CET8.8.8.8192.168.2.50x9280No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:08:59.144479036 CET8.8.8.8192.168.2.50xee40No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:04.586355925 CET8.8.8.8192.168.2.50xd1c9No error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:10.088375092 CET8.8.8.8192.168.2.50x6e8aNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)
                                                                            Feb 23, 2021 17:09:15.830482006 CET8.8.8.8192.168.2.50xdc2bNo error (0)cloudhost.myfirewall.org79.134.225.105A (IP address)IN (0x0001)

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: e92b274943f4a3a557881ee0dd57772d.exe PID: 5900 Parent PID: 5628

                                                                            General

                                                                            Start time:17:07:10
                                                                            Start date:23/02/2021
                                                                            Path:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe'
                                                                            Imagebase:0x4c0000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252271147.0000000002BA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108 Parent PID: 5900

                                                                            General

                                                                            Start time:17:07:18
                                                                            Start date:23/02/2021
                                                                            Path:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Imagebase:0x7ff797770000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: schtasks.exe PID: 2336 Parent PID: 6108

                                                                            General

                                                                            Start time:17:07:20
                                                                            Start date:23/02/2021
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp'
                                                                            Imagebase:0xad0000
                                                                            File size:185856 bytes
                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 4012 Parent PID: 2336

                                                                            General

                                                                            Start time:17:07:20
                                                                            Start date:23/02/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7ecfc0000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: schtasks.exe PID: 2880 Parent PID: 6108

                                                                            General

                                                                            Start time:17:07:21
                                                                            Start date:23/02/2021
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp'
                                                                            Imagebase:0xad0000
                                                                            File size:185856 bytes
                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 4860 Parent PID: 2880

                                                                            General

                                                                            Start time:17:07:21
                                                                            Start date:23/02/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7ecfc0000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: e92b274943f4a3a557881ee0dd57772d.exe PID: 6200 Parent PID: 904

                                                                            General

                                                                            Start time:17:07:23
                                                                            Start date:23/02/2021
                                                                            Path:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe 0
                                                                            Imagebase:0x8c0000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: dhcpmon.exe PID: 6296 Parent PID: 904

                                                                            General

                                                                            Start time:17:07:23
                                                                            Start date:23/02/2021
                                                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                            Imagebase:0xd10000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.275574869.00000000033B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Antivirus matches:
                                                                            • Detection: 10%, ReversingLabs
                                                                            Reputation:low

                                                                            Analysis Process: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460 Parent PID: 6200

                                                                            General

                                                                            Start time:17:07:28
                                                                            Start date:23/02/2021
                                                                            Path:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe
                                                                            Imagebase:0x850000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: dhcpmon.exe PID: 6468 Parent PID: 6296

                                                                            General

                                                                            Start time:17:07:28
                                                                            Start date:23/02/2021
                                                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Imagebase:0x490000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: dhcpmon.exe PID: 6720 Parent PID: 3472

                                                                            General

                                                                            Start time:17:07:33
                                                                            Start date:23/02/2021
                                                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                            Imagebase:0x280000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.292697027.0000000002A01000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 6720

                                                                            General

                                                                            Start time:17:07:36
                                                                            Start date:23/02/2021
                                                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                            Imagebase:0xd40000
                                                                            File size:475648 bytes
                                                                            MD5 hash:1F2B71C462D73DCDCC69A707A18C38D6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: backgroundTaskHost.exe PID: 7024 Parent PID: 792

                                                                            General

                                                                            Start time:17:09:01
                                                                            Start date:23/02/2021
                                                                            Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                            Imagebase:0x7ff64e5e0000
                                                                            File size:19352 bytes
                                                                            MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >