Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report cpIaMuv3PV.exe

Overview

General Information

Sample Name:cpIaMuv3PV.exe
Analysis ID:358139
MD5:a8911878f9c096c7bfe665b8076a8704
SHA1:1dffaac5e83c62a0478095c68684bc4974f559db
SHA256:498df02f7263a2b524603cb58cd01c45115645f7586147fd39b19e930dffc667
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cpIaMuv3PV.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\cpIaMuv3PV.exe' MD5: A8911878F9C096C7BFE665B8076A8704)
    • schtasks.exe (PID: 6476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cpIaMuv3PV.exe (PID: 6552 cmdline: C:\Users\user\Desktop\cpIaMuv3PV.exe MD5: A8911878F9C096C7BFE665B8076A8704)
  • dhcpmon.exe (PID: 7060 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A8911878F9C096C7BFE665B8076A8704)
    • schtasks.exe (PID: 6388 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp7E79.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6232 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: A8911878F9C096C7BFE665B8076A8704)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2ef5:$a: NanoCore
      • 0x2f4e:$a: NanoCore
      • 0x2f8b:$a: NanoCore
      • 0x3004:$a: NanoCore
      • 0x166af:$a: NanoCore
      • 0x166c4:$a: NanoCore
      • 0x166f9:$a: NanoCore
      • 0x2f16b:$a: NanoCore
      • 0x2f180:$a: NanoCore
      • 0x2f1b5:$a: NanoCore
      • 0x2f57:$b: ClientPlugin
      • 0x2f94:$b: ClientPlugin
      • 0x3892:$b: ClientPlugin
      • 0x389f:$b: ClientPlugin
      • 0x1646b:$b: ClientPlugin
      • 0x16486:$b: ClientPlugin
      • 0x164b6:$b: ClientPlugin
      • 0x166cd:$b: ClientPlugin
      • 0x16702:$b: ClientPlugin
      • 0x2ef27:$b: ClientPlugin
      • 0x2ef42:$b: ClientPlugin
      Click to see the 37 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.dhcpmon.exe.45b6850.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      8.2.dhcpmon.exe.45b6850.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      8.2.dhcpmon.exe.45b6850.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        8.2.dhcpmon.exe.45b6850.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        4.2.cpIaMuv3PV.exe.5190000.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        Click to see the 69 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cpIaMuv3PV.exe, ProcessId: 6552, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\cpIaMuv3PV.exe' , ParentImage: C:\Users\user\Desktop\cpIaMuv3PV.exe, ParentProcessId: 6364, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp', ProcessId: 6476

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 37%
        Source: C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exeReversingLabs: Detection: 37%
        Multi AV Scanner detection for submitted fileShow sources
        Source: cpIaMuv3PV.exeVirustotal: Detection: 30%Perma Link
        Source: cpIaMuv3PV.exeMetadefender: Detection: 13%Perma Link
        Source: cpIaMuv3PV.exeReversingLabs: Detection: 37%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.501066810.0000000002951000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORY
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: cpIaMuv3PV.exeJoe Sandbox ML: detected
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: 18.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: cpIaMuv3PV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: cpIaMuv3PV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: hailongfvt.zapto.org
        Source: global trafficTCP traffic: 192.168.2.7:49716 -> 185.140.53.139:3365
        Source: Joe Sandbox ViewIP Address: 185.140.53.139 185.140.53.139
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: hailongfvt.zapto.org
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: dhcpmon.exeString found in binary or memory: http://tempuri.org/DS_All_Student_Bill.xsd
        Source: cpIaMuv3PV.exeString found in binary or memory: http://tempuri.org/DS_All_Student_Bill.xsd;stbl_Product_Purchase_DetailsUhttp://tempuri.org/DS_Produ
        Source: dhcpmon.exeString found in binary or memory: http://tempuri.org/DS_Product_Purchase.xsd
        Source: dhcpmon.exe, dhcpmon.exe, 00000012.00000002.321328745.0000000000B52000.00000002.00020000.sdmp, cpIaMuv3PV.exeString found in binary or memory: http://tempuri.org/DS_Stock.xsd
        Source: dhcpmon.exeString found in binary or memory: http://tempuri.org/DS_Student_Fees.xsd
        Source: cpIaMuv3PV.exeString found in binary or memory: http://tempuri.org/DS_Student_Fees.xsd;stbl_Student_Purchase_Details7DS_Student_Purchase_Detailsehtt
        Source: dhcpmon.exeString found in binary or memory: http://tempuri.org/DS_Student_Purchase_Details.xsd
        Source: dhcpmon.exe, dhcpmon.exe, 00000012.00000002.321328745.0000000000B52000.00000002.00020000.sdmp, cpIaMuv3PV.exeString found in binary or memory: http://tempuri.org/aLL_STUDENT_DATA.xsd
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.501066810.0000000002951000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORY
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.cpIaMuv3PV.exe.5190000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.297ca00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.3329660.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 0_2_02DFEA340_2_02DFEA34
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 0_2_02DFEF5A0_2_02DFEF5A
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 0_2_02DFB4880_2_02DFB488
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 4_2_0280E4804_2_0280E480
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 4_2_0280E4714_2_0280E471
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 4_2_0280BBD44_2_0280BBD4
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeCode function: 4_2_05F100404_2_05F10040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_032DA1E88_2_032DA1E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_032DB4888_2_032DB488
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0307E47118_2_0307E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0307E48018_2_0307E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0307BBD418_2_0307BBD4
        Source: cpIaMuv3PV.exeBinary or memory string: OriginalFilename vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.251842701.000000000E780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.246511790.0000000000B32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMdConstant.exe4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.252985323.000000000EF30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.251317454.000000000A4D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.253841541.000000000F030000.00000002.00000001.sdmpBinary or memory string: originalfilename vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000000.00000002.253841541.000000000F030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exeBinary or memory string: OriginalFilename vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000002.509373713.0000000005890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000000.245536469.00000000004B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMdConstant.exe4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exe, 00000004.00000002.509848240.00000000067A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exeBinary or memory string: OriginalFilenameMdConstant.exe4 vs cpIaMuv3PV.exe
        Source: cpIaMuv3PV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.5190000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.5190000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.297ca00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.297ca00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.3329660.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3329660.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/9@23/2
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile created: C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:976:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\lehXhqdzGLyhWFuvf
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{06dcc34e-fccc-45c0-ab04-0a28b66d80f2}
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2685.tmpJump to behavior
        Source: cpIaMuv3PV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: cpIaMuv3PV.exe, 00000000.00000002.246511790.0000000000B32000.00000002.00020000.sdmp, cpIaMuv3PV.exe, 00000004.00000000.245536469.00000000004B2000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000000.272258650.0000000000D72000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000002.321328745.0000000000B52000.00000002.00020000.sdmpBinary or memory string: select * from stbl_Product_Purchase_Details where Product_ID = 9Single Students Bill Reports-crv_Single_student_fee;uc_single_Student_Bill_Reportkselect * from tbl_Stud_Fee_Master where Student_ID = cselect * from tbl_Stud_Master where Student_ID = 3Big Dreams Come True Here#frm_Splash_Screen
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
        Source: cpIaMuv3PV.exeVirustotal: Detection: 30%
        Source: cpIaMuv3PV.exeMetadefender: Detection: 13%
        Source: cpIaMuv3PV.exeReversingLabs: Detection: 37%
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile read: C:\Users\user\Desktop\cpIaMuv3PV.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\cpIaMuv3PV.exe 'C:\Users\user\Desktop\cpIaMuv3PV.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\cpIaMuv3PV.exe C:\Users\user\Desktop\cpIaMuv3PV.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp7E79.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess created: C:\Users\user\Desktop\cpIaMuv3PV.exe C:\Users\user\Desktop\cpIaMuv3PV.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp7E79.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: cpIaMuv3PV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: cpIaMuv3PV.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: cpIaMuv3PV.exeStatic file information: File size 1272320 > 1048576
        Source: cpIaMuv3PV.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x131c00
        Source: cpIaMuv3PV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0307D413 push 0000005Dh; retn 0004h18_2_0307D485
        Source: initial sampleStatic PE information: section name: .text entropy: 6.81640542834
        Source: initial sampleStatic PE information: section name: .text entropy: 6.81640542834
        Source: initial sampleStatic PE information: section name: .text entropy: 6.81640542834
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile created: C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exeJump to dropped file
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeFile opened: C:\Users\user\Desktop\cpIaMuv3PV.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247304436.0000000002FBC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.300490631.0000000003359000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7060, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: cpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeWindow / User API: threadDelayed 4205Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeWindow / User API: threadDelayed 5276Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeWindow / User API: foregroundWindowGot 834Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exe TID: 6368Thread sleep time: -102832s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exe TID: 6620Thread sleep time: -16602069666338586s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7064Thread sleep time: -103155s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2160Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: cpIaMuv3PV.exe, 00000004.00000002.509848240.00000000067A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: cpIaMuv3PV.exe, 00000004.00000002.509848240.00000000067A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: cpIaMuv3PV.exe, 00000004.00000002.509848240.00000000067A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: cpIaMuv3PV.exe, 00000004.00000002.509848240.00000000067A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeProcess created: C:\Users\user\Desktop\cpIaMuv3PV.exe C:\Users\user\Desktop\cpIaMuv3PV.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp7E79.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: cpIaMuv3PV.exe, 00000004.00000002.500574254.0000000001250000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: cpIaMuv3PV.exe, 00000004.00000002.501784469.0000000002A78000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: cpIaMuv3PV.exe, 00000004.00000002.500574254.0000000001250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: cpIaMuv3PV.exe, 00000004.00000002.500574254.0000000001250000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: cpIaMuv3PV.exe, 00000004.00000002.500574254.0000000001250000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: cpIaMuv3PV.exe, 00000004.00000002.501784469.0000000002A78000.00000004.00000001.sdmpBinary or memory string: Program ManagerHf
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Users\user\Desktop\cpIaMuv3PV.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Users\user\Desktop\cpIaMuv3PV.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\cpIaMuv3PV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.501066810.0000000002951000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORY
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: cpIaMuv3PV.exe, 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cpIaMuv3PV.exe, 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.501066810.0000000002951000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6232, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cpIaMuv3PV.exe PID: 6552, type: MEMORY
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430b116.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.45b6850.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.4314575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.41e6850.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.430ff4c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.446e180.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.44c65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5270000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.5274629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cpIaMuv3PV.exe.40f65a0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.39a4575.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.cpIaMuv3PV.exe.399b116.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358139 Sample: cpIaMuv3PV.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 42 hailongfvt.zapto.org 2->42 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 12 other signatures 2->54 8 cpIaMuv3PV.exe 7 2->8         started        11 dhcpmon.exe 5 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\OUCEGOEkZUvjuG.exe, PE32 8->28 dropped 30 C:\...\OUCEGOEkZUvjuG.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmp2685.tmp, XML 8->32 dropped 34 C:\Users\user\AppData\...\cpIaMuv3PV.exe.log, ASCII 8->34 dropped 13 cpIaMuv3PV.exe 1 9 8->13         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        process6 dnsIp7 44 hailongfvt.zapto.org 185.140.53.139, 3365, 49716, 49723 DAVID_CRAIGGG Sweden 13->44 46 192.168.2.1 unknown unknown 13->46 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->40 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        cpIaMuv3PV.exe31%VirustotalBrowse
        cpIaMuv3PV.exe19%MetadefenderBrowse
        cpIaMuv3PV.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        cpIaMuv3PV.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe19%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exe19%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        4.2.cpIaMuv3PV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.2.cpIaMuv3PV.exe.5270000.9.unpack100%AviraTR/NanoCore.fadteDownload File
        18.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://tempuri.org/DS_Student_Fees.xsd0%Avira URL Cloudsafe
        http://tempuri.org/aLL_STUDENT_DATA.xsd0%Avira URL Cloudsafe
        http://tempuri.org/DS_Student_Fees.xsd;stbl_Student_Purchase_Details7DS_Student_Purchase_Detailsehtt0%Avira URL Cloudsafe
        http://tempuri.org/DS_All_Student_Bill.xsd;stbl_Product_Purchase_DetailsUhttp://tempuri.org/DS_Produ0%Avira URL Cloudsafe
        http://tempuri.org/DS_All_Student_Bill.xsd0%Avira URL Cloudsafe
        hailongfvt.zapto.org0%Avira URL Cloudsafe
        http://tempuri.org/DS_Stock.xsd0%Avira URL Cloudsafe
        http://tempuri.org/DS_Product_Purchase.xsd0%Avira URL Cloudsafe
        http://tempuri.org/DS_Student_Purchase_Details.xsd0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        hailongfvt.zapto.org
        		185.140.53.139
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          hailongfvt.zapto.orgtrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://tempuri.org/DS_Student_Fees.xsddhcpmon.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/aLL_STUDENT_DATA.xsddhcpmon.exe, dhcpmon.exe, 00000012.00000002.321328745.0000000000B52000.00000002.00020000.sdmp, cpIaMuv3PV.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/DS_Student_Fees.xsd;stbl_Student_Purchase_Details7DS_Student_Purchase_DetailsehttcpIaMuv3PV.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/DS_All_Student_Bill.xsd;stbl_Product_Purchase_DetailsUhttp://tempuri.org/DS_ProducpIaMuv3PV.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpfalse
            		high
            http://tempuri.org/DS_All_Student_Bill.xsddhcpmon.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csscpIaMuv3PV.exe, 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmpfalse
              		high
              http://tempuri.org/DS_Stock.xsddhcpmon.exe, dhcpmon.exe, 00000012.00000002.321328745.0000000000B52000.00000002.00020000.sdmp, cpIaMuv3PV.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/DS_Product_Purchase.xsddhcpmon.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/DS_Student_Purchase_Details.xsddhcpmon.exefalse
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              185.140.53.139
              		unknownSweden
              		209623DAVID_CRAIGGGtrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:358139
              Start date:25.02.2021
              Start time:04:01:25
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 56s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:cpIaMuv3PV.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:32
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@12/9@23/2
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 1.8% (good quality ratio 1.4%)
              • Quality average: 61.1%
              • Quality standard deviation: 39.2%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 74
              • Number of non-executed functions: 1
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 51.103.5.159, 13.88.21.125, 204.79.197.200, 13.107.21.200, 51.11.168.160, 92.122.145.220, 104.43.193.48, 52.255.188.83, 23.218.208.56, 51.104.139.180, 2.20.142.209, 2.20.142.210, 93.184.221.240, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              04:02:18API Interceptor969x Sleep call for process: cpIaMuv3PV.exe modified
              04:02:25AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              04:02:39API Interceptor1x Sleep call for process: dhcpmon.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              185.140.53.139COMPANY PROFILE AND DOCUMENTED OFFER.exeGet hashmaliciousBrowse
                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                  Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                    RFQ-BOHB-SS-FD6L4.exeGet hashmaliciousBrowse
                      PURCHASE_FABRICS_APPAREL_100%_COOTON.exeGet hashmaliciousBrowse
                        GT-082568-HSO-280820.DOCX.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          hailongfvt.zapto.orgCOMPANY PROFILE AND DOCUMENTED OFFER.exeGet hashmaliciousBrowse
                          • 185.140.53.139

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DAVID_CRAIGGG35dbds3GQG.exeGet hashmaliciousBrowse
                          • 185.140.53.138
                          QXJGE2LOdP.exeGet hashmaliciousBrowse
                          • 185.140.53.138
                          TxvR Order.exeGet hashmaliciousBrowse
                          • 185.140.53.43
                          COMPANY PROFILE AND DOCUMENTED OFFER.exeGet hashmaliciousBrowse
                          • 185.140.53.139
                          Attached file.exeGet hashmaliciousBrowse
                          • 185.244.30.113
                          UNiOOhIN3e.exeGet hashmaliciousBrowse
                          • 185.244.30.241
                          BzRmS2LLnB.exeGet hashmaliciousBrowse
                          • 91.193.75.94
                          bDbA5Bf1k2.exeGet hashmaliciousBrowse
                          • 91.193.75.94
                          SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exeGet hashmaliciousBrowse
                          • 91.193.75.197
                          Recibo del env#U00c3o.exeGet hashmaliciousBrowse
                          • 91.193.75.17
                          Revised Order 193-002.docGet hashmaliciousBrowse
                          • 91.193.75.197
                          ynS1BQTyzO.exeGet hashmaliciousBrowse
                          • 91.193.75.252
                          Quote RF-E79-STD-2021-087.xlsxGet hashmaliciousBrowse
                          • 91.193.75.252
                          PO57891255564GYH11192643-2152021,pdf.exeGet hashmaliciousBrowse
                          • 185.140.53.136
                          Attachment.exeGet hashmaliciousBrowse
                          • 185.244.30.113
                          Query_Ref_CSQ5429996-dtd_0202102021-pdf.jarGet hashmaliciousBrowse
                          • 185.244.30.187
                          Query_Ref_CSQ5429996-dtd_0202102021-pdf.jarGet hashmaliciousBrowse
                          • 185.244.30.187
                          DHL_6368638172 receipt document,pdf.exeGet hashmaliciousBrowse
                          • 185.140.53.130
                          47432000083600.xlsxGet hashmaliciousBrowse
                          • 185.244.30.21
                          Belegbeleg DHL_119040, pdf.exeGet hashmaliciousBrowse
                          • 185.140.53.133

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1272320
                          Entropy (8bit):6.785801085900234
                          Encrypted:false
                          SSDEEP:12288:WeDlsV8+pn+BMQI6wUq0yGArEln20Em3ojpiOJ8UPm4wYHWW7xsbASBCt6e54qXo:ZLNgpRLrHz7xEBBCYe54qXAm3RBjA1
                          MD5:A8911878F9C096C7BFE665B8076A8704
                          SHA1:1DFFAAC5E83C62A0478095C68684BC4974F559DB
                          SHA-256:498DF02F7263A2B524603CB58CD01C45115645F7586147FD39B19E930DFFC667
                          SHA-512:B401F30A85FAB432401668863A34D63989BB6745D36331BA78EAAC5FCA16BA56E5212670CF2A596216A60BF329F642042B1BC8C4244998ABEE7319A7CA9ADD86
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Metadefender, Detection: 19%, Browse
                          • Antivirus: ReversingLabs, Detection: 38%
                          Reputation:low
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............P......L.......;... ........@.. ....................................@.................................p;..K....@...J........................................................................... ............... ..H............text........ ...................... ..`.rsrc....J...@...J..................@..@.reloc...............h..............@..B.................;......H............?...............O...........................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+p..aa.+...na...mXE............K...X....g(.....+......&...+...eXE........ .../...>...M...h...q...z..............+..m(........+.8~.......8u.....(.......8f.....(.......8W.....(.......8H.....(....+.(....82......8-.......8$.......8.......8.........&+..8.......8....*.0..........+.&...+8..ga.+...aa8x.....hY+D...+...gXE
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cpIaMuv3PV.exe.log
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1400
                          Entropy (8bit):5.344635889251176
                          Encrypted:false
                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4sH:MgvjHK5HKXE1qHbHK5AHKzvRYHKhQnoR
                          MD5:CB0A771DADBDC62238A0AB0D40CC3382
                          SHA1:38A48365315A474D6E7117AC72A354935052051C
                          SHA-256:BBB2C37AFB091B8A3E18FC1D8B2A35707D0B64B373CDBA5A147BBAAEABD24C2E
                          SHA-512:6518C09AECF15B58D74B9E09A911ADB17CCB43B1508BEBAEEA9C1B563B766FBDA6B585E149AB16793DD2AD8761F7F6D68A18724369CF47FA023839C74F5549F0
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1400
                          Entropy (8bit):5.344635889251176
                          Encrypted:false
                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4sH:MgvjHK5HKXE1qHbHK5AHKzvRYHKhQnoR
                          MD5:CB0A771DADBDC62238A0AB0D40CC3382
                          SHA1:38A48365315A474D6E7117AC72A354935052051C
                          SHA-256:BBB2C37AFB091B8A3E18FC1D8B2A35707D0B64B373CDBA5A147BBAAEABD24C2E
                          SHA-512:6518C09AECF15B58D74B9E09A911ADB17CCB43B1508BEBAEEA9C1B563B766FBDA6B585E149AB16793DD2AD8761F7F6D68A18724369CF47FA023839C74F5549F0
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                          C:\Users\user\AppData\Local\Temp\tmp2685.tmp
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1663
                          Entropy (8bit):5.186428793191548
                          Encrypted:false
                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAYtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3ue
                          MD5:3C48812341687AA2F8C0ABD00611CCF8
                          SHA1:5BF2AECFA0748C282DD2AC5A8AFF35622EB8C6C7
                          SHA-256:B3BFE0ED81C4107CEC70B9503371D2F6E013BA046018E7A912F825F25EF45804
                          SHA-512:06AD1F5C6D296A0D37368B3811488BF4D1220137D134AFD22C85D9230DCD8DA6F621BA52A3AEE0C953793A9507837257E2329DAEE2469A093ABA076B080A5D7D
                          Malicious:true
                          Reputation:low
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                          C:\Users\user\AppData\Local\Temp\tmp7E79.tmp
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1663
                          Entropy (8bit):5.186428793191548
                          Encrypted:false
                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAYtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3ue
                          MD5:3C48812341687AA2F8C0ABD00611CCF8
                          SHA1:5BF2AECFA0748C282DD2AC5A8AFF35622EB8C6C7
                          SHA-256:B3BFE0ED81C4107CEC70B9503371D2F6E013BA046018E7A912F825F25EF45804
                          SHA-512:06AD1F5C6D296A0D37368B3811488BF4D1220137D134AFD22C85D9230DCD8DA6F621BA52A3AEE0C953793A9507837257E2329DAEE2469A093ABA076B080A5D7D
                          Malicious:false
                          Reputation:low
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:ISO-8859 text, with NEL line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:sst:sst
                          MD5:5A86F30FF0CEF5D88164B253F6B691F1
                          SHA1:CFC30B4C368FAF9CECD6158AD98921760783FA49
                          SHA-256:26C1FDB652FA78AD690EA97E65C2C318D76438BA3D69D896001422D7D47F7DB9
                          SHA-512:1205329F6FBEB6B6E07E698F69438C9B7B264FFE61B8946F2C0856C8194AB274B20E89DE772D302B80ED36B43E3D1F30341E950372F7B4D6FB03A9A6E20D13C8
                          Malicious:true
                          Reputation:low
                          Preview: Q..6...H
                          C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exe
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1272320
                          Entropy (8bit):6.785801085900234
                          Encrypted:false
                          SSDEEP:12288:WeDlsV8+pn+BMQI6wUq0yGArEln20Em3ojpiOJ8UPm4wYHWW7xsbASBCt6e54qXo:ZLNgpRLrHz7xEBBCYe54qXAm3RBjA1
                          MD5:A8911878F9C096C7BFE665B8076A8704
                          SHA1:1DFFAAC5E83C62A0478095C68684BC4974F559DB
                          SHA-256:498DF02F7263A2B524603CB58CD01C45115645F7586147FD39B19E930DFFC667
                          SHA-512:B401F30A85FAB432401668863A34D63989BB6745D36331BA78EAAC5FCA16BA56E5212670CF2A596216A60BF329F642042B1BC8C4244998ABEE7319A7CA9ADD86
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Metadefender, Detection: 19%, Browse
                          • Antivirus: ReversingLabs, Detection: 38%
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............P......L.......;... ........@.. ....................................@.................................p;..K....@...J........................................................................... ............... ..H............text........ ...................... ..`.rsrc....J...@...J..................@..@.reloc...............h..............@..B.................;......H............?...............O...........................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+p..aa.+...na...mXE............K...X....g(.....+......&...+...eXE........ .../...>...M...h...q...z..............+..m(........+.8~.......8u.....(.......8f.....(.......8W.....(.......8H.....(....+.(....82......8-.......8$.......8.......8.........&+..8.......8....*.0..........+.&...+8..ga.+...aa8x.....hY+D...+...gXE
                          C:\Users\user\AppData\Roaming\OUCEGOEkZUvjuG.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview: [ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.785801085900234
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          File name:cpIaMuv3PV.exe
                          File size:1272320
                          MD5:a8911878f9c096c7bfe665b8076a8704
                          SHA1:1dffaac5e83c62a0478095c68684bc4974f559db
                          SHA256:498df02f7263a2b524603cb58cd01c45115645f7586147fd39b19e930dffc667
                          SHA512:b401f30a85fab432401668863a34d63989bb6745d36331ba78eaac5fca16ba56e5212670cf2a596216a60bf329f642042b1bc8c4244998abee7319a7ca9add86
                          SSDEEP:12288:WeDlsV8+pn+BMQI6wUq0yGArEln20Em3ojpiOJ8UPm4wYHWW7xsbASBCt6e54qXo:ZLNgpRLrHz7xEBBCYe54qXAm3RBjA1
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............P......L.......;... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:c870f0f0d8fc7c03

                          Static PE Info

                          General

                          Entrypoint:0x533bbe
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x6035C6C3 [Wed Feb 24 03:23:47 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x133b700x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1340000x4a00.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x131bc40x131c00False0.531282738399data6.81640542834IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x1340000x4a000x4a00False0.273807010135data3.78141625052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x13a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x1341000x4228dBase III DBT, version number 0, next free block index 40
                          RT_GROUP_ICON0x1383380x14data
                          RT_VERSION0x13835c0x366data
                          RT_MANIFEST0x1386d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright D S Damat Online
                          Assembly Version1.1.8.14
                          InternalNameMdConstant.exe
                          FileVersion1.1.8.14
                          CompanyNameD S Damat Online
                          LegalTrademarks
                          Comments
                          ProductNameD'S Damat
                          ProductVersion1.1.8.14
                          FileDescriptionD'S Damat
                          OriginalFilenameMdConstant.exe

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Feb 25, 2021 04:02:26.473370075 CET497163365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:26.518624067 CET336549716185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:27.120229959 CET497163365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:27.165539980 CET336549716185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:27.823421001 CET497163365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:27.868802071 CET336549716185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:33.288084030 CET497233365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:33.335201025 CET336549723185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:33.964596033 CET497233365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:34.009816885 CET336549723185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:34.574018955 CET497233365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:34.620681047 CET336549723185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:38.758946896 CET497303365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:38.803987026 CET336549730185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:39.464996099 CET497303365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:39.511528969 CET336549730185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:40.074441910 CET497303365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:40.120079041 CET336549730185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:44.696266890 CET497323365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:44.741364956 CET336549732185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:45.278019905 CET497323365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:45.323188066 CET336549732185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:45.966013908 CET497323365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:46.011109114 CET336549732185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:50.501729965 CET497333365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:50.546786070 CET336549733185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:51.122309923 CET497333365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:51.167396069 CET336549733185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:51.825455904 CET497333365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:51.870436907 CET336549733185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:56.027457952 CET497363365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:56.074837923 CET336549736185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:56.622755051 CET497363365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:56.667952061 CET336549736185.140.53.139192.168.2.7
                          Feb 25, 2021 04:02:57.326021910 CET497363365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:02:57.371155977 CET336549736185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:01.943954945 CET497373365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:01.989780903 CET336549737185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:02.498291969 CET497373365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:02.543540001 CET336549737185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:03.045150042 CET497373365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:03.090298891 CET336549737185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:07.180772066 CET497443365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:07.225883007 CET336549744185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:07.733062029 CET497443365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:07.780318022 CET336549744185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:08.295571089 CET497443365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:08.340837955 CET336549744185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:12.445955038 CET497453365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:12.491339922 CET336549745185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:13.092895031 CET497453365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:13.138628960 CET336549745185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:13.796041012 CET497453365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:13.841634035 CET336549745185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:17.944457054 CET497513365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:17.989474058 CET336549751185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:18.586312056 CET497513365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:18.631408930 CET336549751185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:19.187109947 CET497513365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:19.234419107 CET336549751185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:23.361229897 CET497523365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:23.406435013 CET336549752185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:24.094458103 CET497523365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:24.139643908 CET336549752185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:24.703216076 CET497523365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:24.748512030 CET336549752185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:29.927272081 CET497533365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:29.973731995 CET336549753185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:30.578682899 CET497533365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:30.623743057 CET336549753185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:31.284149885 CET497533365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:31.329207897 CET336549753185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:35.457288027 CET497543365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:35.502422094 CET336549754185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:36.079209089 CET497543365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:36.126812935 CET336549754185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:36.782363892 CET497543365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:36.829159975 CET336549754185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:40.945180893 CET497603365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:40.990593910 CET336549760185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:41.501486063 CET497603365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:41.546868086 CET336549760185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:42.048398972 CET497603365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:42.093969107 CET336549760185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:46.222960949 CET497673365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:46.268110991 CET336549767185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:46.767564058 CET497673365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:46.813080072 CET336549767185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:47.330116034 CET497673365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:47.376920938 CET336549767185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:51.506802082 CET497683365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:51.554889917 CET336549768185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:52.065949917 CET497683365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:52.111140013 CET336549768185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:52.611891985 CET497683365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:52.657094955 CET336549768185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:56.751504898 CET497693365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:56.796696901 CET336549769185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:57.299932003 CET497693365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:57.344906092 CET336549769185.140.53.139192.168.2.7
                          Feb 25, 2021 04:03:57.846683025 CET497693365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:03:57.893270016 CET336549769185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:01.997193098 CET497703365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:02.042678118 CET336549770185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:02.550335884 CET497703365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:02.595520973 CET336549770185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:03.097105026 CET497703365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:03.144711018 CET336549770185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:07.275775909 CET497713365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:07.323055029 CET336549771185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:07.831933975 CET497713365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:07.879686117 CET336549771185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:08.394496918 CET497713365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:08.439744949 CET336549771185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:12.528439045 CET497733365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:12.573503971 CET336549773185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:13.082477093 CET497733365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:13.127970934 CET336549773185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:13.629709005 CET497733365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:13.675120115 CET336549773185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:17.783926010 CET497743365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:17.829197884 CET336549774185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:18.332849979 CET497743365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:18.378093004 CET336549774185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:18.879679918 CET497743365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:18.924948931 CET336549774185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:22.994703054 CET497753365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:23.039895058 CET336549775185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:23.567531109 CET497753365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:23.612678051 CET336549775185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:24.130060911 CET497753365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:24.175403118 CET336549775185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:28.236217976 CET497763365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:28.281243086 CET336549776185.140.53.139192.168.2.7
                          Feb 25, 2021 04:04:28.786741972 CET497763365192.168.2.7185.140.53.139
                          Feb 25, 2021 04:04:28.831885099 CET336549776185.140.53.139192.168.2.7

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Feb 25, 2021 04:02:08.444654942 CET6124253192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:08.465351105 CET5856253192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:08.511763096 CET53612428.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:08.522351980 CET53585628.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:08.842672110 CET5659053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:08.901761055 CET53565908.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:08.909348965 CET6050153192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:08.960756063 CET53605018.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:09.798820972 CET5377553192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:09.861493111 CET53537758.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:11.026640892 CET5183753192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:11.088948011 CET53518378.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:12.339931965 CET5541153192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:12.388650894 CET53554118.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:13.068850040 CET6366853192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:13.165524006 CET53636688.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:13.600414991 CET5464053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:13.649146080 CET53546408.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:14.637718916 CET5873953192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:14.686374903 CET53587398.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:15.707830906 CET6033853192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:15.756501913 CET53603388.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:16.648066998 CET5871753192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:16.701535940 CET53587178.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:17.861438036 CET5976253192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:17.920944929 CET53597628.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:19.219341993 CET5432953192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:19.270757914 CET53543298.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:20.650923967 CET5805253192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:20.708071947 CET53580528.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:25.123212099 CET5400853192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:25.171848059 CET53540088.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:26.390512943 CET5945153192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:26.452054977 CET53594518.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:26.535105944 CET5291453192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:26.586486101 CET53529148.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:27.798062086 CET6456953192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:27.846755981 CET53645698.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:28.979156017 CET5281653192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:29.027985096 CET53528168.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:30.647952080 CET5078153192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:30.696743965 CET53507818.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:33.225302935 CET5423053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:33.286288023 CET53542308.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:33.478563070 CET5491153192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:33.535832882 CET4995853192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:33.542650938 CET53549118.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:33.584554911 CET53499588.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:34.656936884 CET5086053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:34.708436966 CET53508608.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:35.782387018 CET5045253192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:35.841712952 CET53504528.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:37.101480961 CET5973053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:37.159876108 CET53597308.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:38.307773113 CET5931053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:38.359249115 CET53593108.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:38.668920040 CET5191953192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:38.728554010 CET53519198.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:40.096520901 CET6429653192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:40.156225920 CET53642968.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:44.633652925 CET5668053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:44.694955111 CET53566808.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:50.443129063 CET5882053192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:50.500276089 CET53588208.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:52.572180986 CET6098353192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:52.622535944 CET53609838.8.8.8192.168.2.7
                          Feb 25, 2021 04:02:55.967534065 CET4924753192.168.2.78.8.8.8
                          Feb 25, 2021 04:02:56.026488066 CET53492478.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:01.889230967 CET5228653192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:01.942831039 CET53522868.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:03.192819118 CET5606453192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:03.260288000 CET53560648.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:03.364636898 CET6374453192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:03.424544096 CET53637448.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:04.012682915 CET6145753192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:04.074146032 CET53614578.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:06.568280935 CET5836753192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:06.622641087 CET53583678.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:07.117599964 CET6059953192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:07.179799080 CET53605998.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:12.384613991 CET5957153192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:12.444648027 CET53595718.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:16.889359951 CET5268953192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:16.946671963 CET53526898.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:17.883157015 CET5029053192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:17.943077087 CET53502908.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:23.301930904 CET6042753192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:23.359168053 CET53604278.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:29.730482101 CET5620953192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:29.791511059 CET53562098.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:35.393599033 CET5958253192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:35.455698013 CET53595828.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:38.899404049 CET6094953192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:38.948132992 CET53609498.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:39.571975946 CET5854253192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:39.640474081 CET53585428.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:39.889245987 CET5917953192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:39.963926077 CET53591798.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:40.236311913 CET6092753192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:40.293179035 CET53609278.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:40.766766071 CET5785453192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:40.823815107 CET53578548.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:40.886550903 CET6202653192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:40.943595886 CET53620268.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:41.343502045 CET5945353192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:41.392199993 CET53594538.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:41.951112032 CET6246853192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:42.010968924 CET53624688.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:42.612159014 CET5256353192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:42.664016008 CET53525638.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:43.485431910 CET5472153192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:43.545458078 CET53547218.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:44.444976091 CET6282653192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:44.496613026 CET53628268.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:45.043754101 CET6204653192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:45.100975037 CET53620468.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:46.162457943 CET5122353192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:46.219542980 CET53512238.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:51.447653055 CET6390853192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:51.504779100 CET53639088.8.8.8192.168.2.7
                          Feb 25, 2021 04:03:56.687129021 CET4922653192.168.2.78.8.8.8
                          Feb 25, 2021 04:03:56.749474049 CET53492268.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:01.934845924 CET6021253192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:01.995347977 CET53602128.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:07.202697992 CET5886753192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:07.262625933 CET53588678.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:09.710293055 CET5086453192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:09.758932114 CET53508648.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:12.467452049 CET6150453192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:12.527344942 CET53615048.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:17.715581894 CET6023153192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:17.781374931 CET53602318.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:22.932643890 CET5009553192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:22.994004011 CET53500958.8.8.8192.168.2.7
                          Feb 25, 2021 04:04:28.178107023 CET5965453192.168.2.78.8.8.8
                          Feb 25, 2021 04:04:28.235445976 CET53596548.8.8.8192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Feb 25, 2021 04:02:26.390512943 CET192.168.2.78.8.8.80xed11Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:33.225302935 CET192.168.2.78.8.8.80xbae1Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:38.668920040 CET192.168.2.78.8.8.80x12e8Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:44.633652925 CET192.168.2.78.8.8.80x6a05Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:50.443129063 CET192.168.2.78.8.8.80xd3d0Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:55.967534065 CET192.168.2.78.8.8.80x179aStandard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:01.889230967 CET192.168.2.78.8.8.80x68b5Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:07.117599964 CET192.168.2.78.8.8.80x2214Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:12.384613991 CET192.168.2.78.8.8.80xef78Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:17.883157015 CET192.168.2.78.8.8.80x63c2Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:23.301930904 CET192.168.2.78.8.8.80x4ab5Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:29.730482101 CET192.168.2.78.8.8.80x7ae5Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:35.393599033 CET192.168.2.78.8.8.80x3d6eStandard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:40.886550903 CET192.168.2.78.8.8.80x30ddStandard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:46.162457943 CET192.168.2.78.8.8.80x47c8Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:51.447653055 CET192.168.2.78.8.8.80x1e58Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:56.687129021 CET192.168.2.78.8.8.80x535Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:01.934845924 CET192.168.2.78.8.8.80x524aStandard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:07.202697992 CET192.168.2.78.8.8.80xedd9Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:12.467452049 CET192.168.2.78.8.8.80x6a27Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:17.715581894 CET192.168.2.78.8.8.80x76b0Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:22.932643890 CET192.168.2.78.8.8.80x731aStandard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:28.178107023 CET192.168.2.78.8.8.80xfe23Standard query (0)hailongfvt.zapto.orgA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Feb 25, 2021 04:02:26.452054977 CET8.8.8.8192.168.2.70xed11No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:33.286288023 CET8.8.8.8192.168.2.70xbae1No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:38.728554010 CET8.8.8.8192.168.2.70x12e8No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:44.694955111 CET8.8.8.8192.168.2.70x6a05No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:50.500276089 CET8.8.8.8192.168.2.70xd3d0No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:02:56.026488066 CET8.8.8.8192.168.2.70x179aNo error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:01.942831039 CET8.8.8.8192.168.2.70x68b5No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:07.179799080 CET8.8.8.8192.168.2.70x2214No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:12.444648027 CET8.8.8.8192.168.2.70xef78No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:17.943077087 CET8.8.8.8192.168.2.70x63c2No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:23.359168053 CET8.8.8.8192.168.2.70x4ab5No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:29.791511059 CET8.8.8.8192.168.2.70x7ae5No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:35.455698013 CET8.8.8.8192.168.2.70x3d6eNo error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:40.943595886 CET8.8.8.8192.168.2.70x30ddNo error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:46.219542980 CET8.8.8.8192.168.2.70x47c8No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:51.504779100 CET8.8.8.8192.168.2.70x1e58No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:03:56.749474049 CET8.8.8.8192.168.2.70x535No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:01.995347977 CET8.8.8.8192.168.2.70x524aNo error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:07.262625933 CET8.8.8.8192.168.2.70xedd9No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:12.527344942 CET8.8.8.8192.168.2.70x6a27No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:17.781374931 CET8.8.8.8192.168.2.70x76b0No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:22.994004011 CET8.8.8.8192.168.2.70x731aNo error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)
                          Feb 25, 2021 04:04:28.235445976 CET8.8.8.8192.168.2.70xfe23No error (0)hailongfvt.zapto.org185.140.53.139A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: cpIaMuv3PV.exe PID: 6364 Parent PID: 5680

                          General

                          Start time:04:02:15
                          Start date:25/02/2021
                          Path:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\cpIaMuv3PV.exe'
                          Imagebase:0xb30000
                          File size:1272320 bytes
                          MD5 hash:A8911878F9C096C7BFE665B8076A8704
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.247716186.0000000003FCD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.247240720.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.248243542.00000000040F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.247304436.0000000002FBC000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:low

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 6476 Parent PID: 6364

                          General

                          Start time:04:02:20
                          Start date:25/02/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2685.tmp'
                          Imagebase:0x2b0000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 6492 Parent PID: 6476

                          General

                          Start time:04:02:21
                          Start date:25/02/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff774ee0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: cpIaMuv3PV.exe PID: 6552 Parent PID: 6364

                          General

                          Start time:04:02:22
                          Start date:25/02/2021
                          Path:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\cpIaMuv3PV.exe
                          Imagebase:0x4b0000
                          File size:1272320 bytes
                          MD5 hash:A8911878F9C096C7BFE665B8076A8704
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.509285336.0000000005190000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.508238274.0000000003999000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.501066810.0000000002951000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.509339734.0000000005270000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.498104256.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 7060 Parent PID: 3292

                          General

                          Start time:04:02:34
                          Start date:25/02/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                          Imagebase:0x7ff6e70f0000
                          File size:1272320 bytes
                          MD5 hash:A8911878F9C096C7BFE665B8076A8704
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.300425603.0000000003311000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.302116757.0000000004318000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.300490631.0000000003359000.00000004.00000001.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 19%, Metadefender, Browse
                          • Detection: 38%, ReversingLabs
                          Reputation:low

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 6388 Parent PID: 7060

                          General

                          Start time:04:02:43
                          Start date:25/02/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OUCEGOEkZUvjuG' /XML 'C:\Users\user\AppData\Local\Temp\tmp7E79.tmp'
                          Imagebase:0x1070000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 976 Parent PID: 6388

                          General

                          Start time:04:02:44
                          Start date:25/02/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff774ee0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 6232 Parent PID: 7060

                          General

                          Start time:04:02:45
                          Start date:25/02/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Imagebase:0xb50000
                          File size:1272320 bytes
                          MD5 hash:A8911878F9C096C7BFE665B8076A8704
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.322544364.00000000042C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.322397159.00000000032C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.321286560.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: cpIaMuv3PV.exe PID: 6364 Parent PID: 5680 cpIaMuv3PV.exeCOMMON

                            Executed Functions

                            Function 02DFEA34, Relevance: .2, Instructions: 233COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b79a70d51acac00e304cfb6777531ff1213e5ab8707eadb30b0f7057b6d2b247
                            • Instruction ID: e2047921a1c1e96445bbd36affb553cd8f138fbe2712d76da25d0cffe0667a0b
                            • Opcode Fuzzy Hash: b79a70d51acac00e304cfb6777531ff1213e5ab8707eadb30b0f7057b6d2b247
                            • Instruction Fuzzy Hash: 4C919D35E003198FCB00DFA5D8949DDBBBAFF89304F558619E505AB7A0EB30A985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFEF5A, Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87813699018a9c200f7ae81628c42c3717609c65c248cb89c5c935bac9de76bc
                            • Instruction ID: ca2c2dcd420d6fed47d8439ddbcea65e4db707e9cf3609cbe9f6a93dffe9555d
                            • Opcode Fuzzy Hash: 87813699018a9c200f7ae81628c42c3717609c65c248cb89c5c935bac9de76bc
                            • Instruction Fuzzy Hash: B781AC35E003199FCB00DFA1D8948DDBBBAFF89304F558625E515AB7A4EB30A985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFB787, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DFE96A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID: 3dj^
                            • API String ID: 716092398-2680493169
                            • Opcode ID: aaaa0ee042a537e5d8a66a6a3c0611db8f4916ad97935e83e040e799ebd5becb
                            • Instruction ID: 70ac854f62d0ee7b4338d5ccffeaf2e3dd833a877624c98dd9195e79d57221cb
                            • Opcode Fuzzy Hash: aaaa0ee042a537e5d8a66a6a3c0611db8f4916ad97935e83e040e799ebd5becb
                            • Instruction Fuzzy Hash: 957179B1D043489FDB11CFA9C881ADEBBB1FF89314F15816AE944AB351D7749842CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFC790, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02DFC9E6
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: a369b1b8cfe01e5987635076ab7981886af6e397cb354f71fb354209778f2434
                            • Instruction ID: 1297a4e206d27a5a96cdd73ea8caa423161824c4c2a17f5e8faf775472c09b61
                            • Opcode Fuzzy Hash: a369b1b8cfe01e5987635076ab7981886af6e397cb354f71fb354209778f2434
                            • Instruction Fuzzy Hash: 1E812370A10B098FD764DF2AD044B5ABBF1FF88204F05892ED58ADBB50DB34E855CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFE7C2, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74a14fce292034ded24fe1fa422b41abd8878569c981a2ef2b3e54f921ba7f09
                            • Instruction ID: a45f0afcd9a18badb0e5d42c79b28be1c353a0ed2a8b232183261e15ea5133f1
                            • Opcode Fuzzy Hash: 74a14fce292034ded24fe1fa422b41abd8878569c981a2ef2b3e54f921ba7f09
                            • Instruction Fuzzy Hash: 2A51FFB1C00249AFDF51CF99C880ADDBFB1BF88314F19826AE919AB221D7759945CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFE7F8, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DFE96A
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 0c539715f026a00925683bc09bcb06a2027b7039758d8131b947f81a1c5c6f4b
                            • Instruction ID: 0ea40a76e10ad8aa6a1bbeb0154a1a9a8189d8292e355eaf81f7fb8d8d2ecd81
                            • Opcode Fuzzy Hash: 0c539715f026a00925683bc09bcb06a2027b7039758d8131b947f81a1c5c6f4b
                            • Instruction Fuzzy Hash: B451DDB2D00249EFDF51DF99C880ADDBBB6FF48314F15812AE919AB220D7719985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFE84C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DFE96A
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 221919b9ff432d7944a875578f7c0327c5c7fa10eb557443a052b9c7f4c1c746
                            • Instruction ID: 543d1ee273732606e5094deca4683e18f341c3cb0383bdfddb4098d3481a24d8
                            • Opcode Fuzzy Hash: 221919b9ff432d7944a875578f7c0327c5c7fa10eb557443a052b9c7f4c1c746
                            • Instruction Fuzzy Hash: C251E0B1D00308DFDB54CF99C880ADDBBB1BF48314F25862AE919AB320D7709985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFB804, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DFE96A
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: b7275631521993694f854246882a456e5ff83b0e6bcd06eeaa22fff4e3a7d0d4
                            • Instruction ID: a55f9b978ff06792d8484023d5026760be0389eba627150ee045a64e4d1595ff
                            • Opcode Fuzzy Hash: b7275631521993694f854246882a456e5ff83b0e6bcd06eeaa22fff4e3a7d0d4
                            • Instruction Fuzzy Hash: A151C1B1D00349DFDB54CF99C884ADEBBB5BF48314F25862AE919AB310D7709985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFE7E2, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DFE96A
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 2dd23c9dfd6dfce47de3327d69b77bd3dfa7e688864b5b754fa64346a9e24fe5
                            • Instruction ID: 83f229438ba9489d414fbaa8010d531ca4e7fc8faf6c345935be439b560327be
                            • Opcode Fuzzy Hash: 2dd23c9dfd6dfce47de3327d69b77bd3dfa7e688864b5b754fa64346a9e24fe5
                            • Instruction Fuzzy Hash: 5741FFB1D003489FDF54CF99D880ADDBBB1BF88314F25861AE919AB320D775A885CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DF7DA2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DF7E2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: f334de781669e0733931a9e066323da20d18bc0b03cb0aba0b7281cb0154e8b7
                            • Instruction ID: 607bc048b24ddc2515ed295b7835907fcd637f5c531ca1a15bb543fecfc71502
                            • Opcode Fuzzy Hash: f334de781669e0733931a9e066323da20d18bc0b03cb0aba0b7281cb0154e8b7
                            • Instruction Fuzzy Hash: 0D21E4B59002499FDB50CFAAD984ADEFBF8FB48324F15841AE914A7310D378A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DF7DA8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DF7E2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: a6ec5aa35cbed9688290b2098ff807a6e5cab3a3038c1d5399790465f471b931
                            • Instruction ID: 8392b3d73fc2965ec66d23beee89e6c639bce435eeb2f8c933bc45cb6e564e94
                            • Opcode Fuzzy Hash: a6ec5aa35cbed9688290b2098ff807a6e5cab3a3038c1d5399790465f471b931
                            • Instruction Fuzzy Hash: 9D21F3B59003499FDB50CFAAD984ADEFBF8FB48324F14841AE914A7310D374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFCC00, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DFCA61,00000800,00000000,00000000), ref: 02DFCC72
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 4701ecca26c1538699fb8c8b8586e3d122fa6481acf517a6027c8a42f599f21f
                            • Instruction ID: 4011945bb8b0a5cfc5074d05c73520276531887eb34353f2499e57be6343c1a9
                            • Opcode Fuzzy Hash: 4701ecca26c1538699fb8c8b8586e3d122fa6481acf517a6027c8a42f599f21f
                            • Instruction Fuzzy Hash: 0911FFB69002498FDB10CFAAC544ADEFBF4AB48314F15852ED569A7610C374AA45CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFB6C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DFCA61,00000800,00000000,00000000), ref: 02DFCC72
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 08529a8a71f6def1bf49b0f9d8e4d4a10b1f1eb3f32a0694143586c463ba46e7
                            • Instruction ID: fbd103f99203b7528ac2e75ed1010f6cb5f9b520cf12091c749e1ee0d4721f51
                            • Opcode Fuzzy Hash: 08529a8a71f6def1bf49b0f9d8e4d4a10b1f1eb3f32a0694143586c463ba46e7
                            • Instruction Fuzzy Hash: 061100B29003488FDB10CF9AD444B9EBBF4EB88324F05842EE919A7710C374A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFC980, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02DFC9E6
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 2bffc079253606f932e5bca98f6a2dc1534529677b68e6494714e93678c7688a
                            • Instruction ID: ef15ab3d7e9ccf89af5ca7ad3c35525c6a2ee343067cc36d18c814a03796dcd1
                            • Opcode Fuzzy Hash: 2bffc079253606f932e5bca98f6a2dc1534529677b68e6494714e93678c7688a
                            • Instruction Fuzzy Hash: BD1110B2D003498FCB20CF9AD444BDEFBF4AB88224F15841AD869B7300C374A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFEEA2, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 02DFEF05
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: b1588b13f01cf922c903215765b8b423d3dc70a4cbfa3bef6721fa18dad1fdc4
                            • Instruction ID: 977e5f4341957602565e8648d54af9dd570cd97a146410023ca0062614aaa051
                            • Opcode Fuzzy Hash: b1588b13f01cf922c903215765b8b423d3dc70a4cbfa3bef6721fa18dad1fdc4
                            • Instruction Fuzzy Hash: EE1133B1900348DFDB10DF89D489BDEBBF8EB48324F15840AE915A3740C378A940CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02DFEEA8, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 02DFEF05
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: cc37dace1f3a49fdb157ac0447b77b35065bdaaaca611673b119865b3c038c91
                            • Instruction ID: 8b3cecb89ba3087477349fe285a495e425a12a30814b3ab3b38a0012064e326a
                            • Opcode Fuzzy Hash: cc37dace1f3a49fdb157ac0447b77b35065bdaaaca611673b119865b3c038c91
                            • Instruction Fuzzy Hash: 291112B5900348DFDB10DF9AC488BDEBBF8EB48324F15841AE959A3340C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0142D4D8, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247096472.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6dd173f48eb4d9260188911d19c1038d7afd74213a106f4c06ecf8bc173aae04
                            • Instruction ID: a4d333da26ee168c0dbc68252edd0f7fd77c54d435e3571e2975d98350bb5b04
                            • Opcode Fuzzy Hash: 6dd173f48eb4d9260188911d19c1038d7afd74213a106f4c06ecf8bc173aae04
                            • Instruction Fuzzy Hash: 402128B1904240DFDB05DF54D9C0B27BB65FB88328F24856AE9054B326C376D8C6CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0143D09C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247105925.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2a3a434f9307ff05a139216a0cd41c93d36781e48ae1ae7e9eba281ef051800
                            • Instruction ID: 0175aef7c3a6ced7f02a63f1ecdc096738c61ebb80f80198ce4b7e755c645597
                            • Opcode Fuzzy Hash: d2a3a434f9307ff05a139216a0cd41c93d36781e48ae1ae7e9eba281ef051800
                            • Instruction Fuzzy Hash: CC2100B1A08240DFDF05CF58D8C0B26BB65FBC8218F64C56EE9094B366C33AD806CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0143D085, Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247105925.000000000143D000.00000040.00000001.sdmp, Offset: 0143D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97c6633a0d09f4bd9561be9f8c780fabfcaf85bf83240bb73421b131812da8b6
                            • Instruction ID: f92675b3fb7605c3f83f87e7badce4c3a5ba745f77b56a261497334631faa004
                            • Opcode Fuzzy Hash: 97c6633a0d09f4bd9561be9f8c780fabfcaf85bf83240bb73421b131812da8b6
                            • Instruction Fuzzy Hash: AC2192759083809FDB02CF54D980B12BFB1EB89214F24C5EAD8498B367C33AD856CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0142D4D3, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247096472.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction ID: edbba089abe4554edaf39b134c271143b21fc8ec9b2c77caee5dfeb27ab2b28a
                            • Opcode Fuzzy Hash: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction Fuzzy Hash: 8311B176904280CFDB16CF54D5C4B16BF71FB84324F2486AAD8054B72BC33AD496CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0142D799, Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247096472.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2c3d8183661f883df6e896fc139564d1cbd33aa14fd3ab12c6cfa6f9da9b4dd
                            • Instruction ID: 93fe8f677fadf3813c3dad79b00409b8fbfcaa3dbd7b51ff1577275db1f2432d
                            • Opcode Fuzzy Hash: a2c3d8183661f883df6e896fc139564d1cbd33aa14fd3ab12c6cfa6f9da9b4dd
                            • Instruction Fuzzy Hash: D501FC719093E09EE7209A5ACCC4B67FB98EF81234F48851BEE054B296C37C9C84C6B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0142D798, Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247096472.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2daab5aadbfb40a31a32fa08b899cd3bd140b1e4e77ea0cca9665e07052753bc
                            • Instruction ID: f4ccb2e9245bfcd889b38dce5f0cecb6c3f822d69fdfc589a945695110ed1b91
                            • Opcode Fuzzy Hash: 2daab5aadbfb40a31a32fa08b899cd3bd140b1e4e77ea0cca9665e07052753bc
                            • Instruction Fuzzy Hash: D9F068715053949EE7258A1ADC84B63FFA8EB81634F18C45BED085B256C3795884CAB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 02DFB488, Relevance: .3, Instructions: 265COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.247186797.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38c4f35314f00633dcf7d9589c1f5b1b57aa2e28be77daca9d55c2468daebc95
                            • Instruction ID: 968d6806687b652168ed24b9fc7c808072de84b9fc2a653a1f5925418f64c6c3
                            • Opcode Fuzzy Hash: 38c4f35314f00633dcf7d9589c1f5b1b57aa2e28be77daca9d55c2468daebc95
                            • Instruction Fuzzy Hash: 30A16B32E106098FCF05DFA5C84459EBBB2FF89304B16856AE905AB360EB35ED55CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: cpIaMuv3PV.exe PID: 6552 Parent PID: 6364 cpIaMuv3PV.exeCOMMON

                            Executed Functions

                            Function 0280B6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0280B730
                            • GetCurrentThread.KERNEL32 ref: 0280B76D
                            • GetCurrentProcess.KERNEL32 ref: 0280B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0280B803
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 58d8f527cdf280ed9e9850b33d86756144900363f0d024b500dc09d8d8eca376
                            • Instruction ID: e002ca2952472f9164d4719db641de16a29337e2ab6fd058a69a1a97215b9165
                            • Opcode Fuzzy Hash: 58d8f527cdf280ed9e9850b33d86756144900363f0d024b500dc09d8d8eca376
                            • Instruction Fuzzy Hash: CD516AB89043488FDB54CFA9D588BDEBBF1EF48318F248459E449A7290C7746845CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0280B730
                            • GetCurrentThread.KERNEL32 ref: 0280B76D
                            • GetCurrentProcess.KERNEL32 ref: 0280B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0280B803
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: a4ac1a3f7fd88b098caf129ff2478e24864f934e0b476afe630f42570a2c82ed
                            • Instruction ID: 089b96e3dded4834331e78a8b0d6ac3638c4d31dc211bf46190cca6532c1685c
                            • Opcode Fuzzy Hash: a4ac1a3f7fd88b098caf129ff2478e24864f934e0b476afe630f42570a2c82ed
                            • Instruction Fuzzy Hash: 855168B8E002488FDB54CFA9D588BDEBBF1EF48318F248459E049A3390C7746845CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280FAA0, Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1da3ca932a3c3e2aba86c3f8889b3f411aacfc15c2159a93634e92bb2254daf
                            • Instruction ID: 6b5b1667ead710bab6b4f36a65e31e9ba44a9b77d9710ac8e51a5431eeb4e969
                            • Opcode Fuzzy Hash: b1da3ca932a3c3e2aba86c3f8889b3f411aacfc15c2159a93634e92bb2254daf
                            • Instruction Fuzzy Hash: F4919D75C083899FDB12CFA4C8919CDBFB0FF0A314F15819AE894AB1A2D7345946DF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05F13178, Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.509644127.0000000005F10000.00000040.00000001.sdmp, Offset: 05F10000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c2ae432e8971b4655129272bf37f51efc493bfe18c8a2cc69026ffbb72397b
                            • Instruction ID: c7e2cc17a30875fe579de877bb8b6d3d5db39909e53bd700925762202ce44cce
                            • Opcode Fuzzy Hash: 72c2ae432e8971b4655129272bf37f51efc493bfe18c8a2cc69026ffbb72397b
                            • Instruction Fuzzy Hash: 07818A71D04359CFDB10DFA9C880ADEBBB2FF49314F10852AE815AB290DB74A949CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0280962E
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 5212f0660b5aeeb645c564aeab606ff959f8cdcae3f29a468c244d655066989b
                            • Instruction ID: 37a15c482d799682ea5cd5019b0c5862d63101630b97af5952b1cb23a52cf8ec
                            • Opcode Fuzzy Hash: 5212f0660b5aeeb645c564aeab606ff959f8cdcae3f29a468c244d655066989b
                            • Instruction Fuzzy Hash: EC712478A00B058FD764DF2AD48175ABBF2FF88614F008A2DD58AD7A91D734E845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05F1150A, Relevance: 1.7, APIs: 1, Instructions: 153networkCOMMON
                            Download Yara Rule
                            APIs
                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05F13358
                            Memory Dump Source
                            • Source File: 00000004.00000002.509644127.0000000005F10000.00000040.00000001.sdmp, Offset: 05F10000, based on PE: false
                            Similarity
                            • API ID: Query_
                            • String ID:
                            • API String ID: 428220571-0
                            • Opcode ID: e4fd1aab46ed5417801083a06a31877a45a9497e54efb000071475b5d20762c8
                            • Instruction ID: a4fc98337ef3e7ee597be2902d1da112d38040aab5455e4a39708f2c0384e71f
                            • Opcode Fuzzy Hash: e4fd1aab46ed5417801083a06a31877a45a9497e54efb000071475b5d20762c8
                            • Instruction Fuzzy Hash: 3E515771D04358DFDB10CFA9C881ADEBBB1FF48314F24842AE805AB290DB74A946CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05F13224, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                            Download Yara Rule
                            APIs
                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05F13358
                            Memory Dump Source
                            • Source File: 00000004.00000002.509644127.0000000005F10000.00000040.00000001.sdmp, Offset: 05F10000, based on PE: false
                            Similarity
                            • API ID: Query_
                            • String ID:
                            • API String ID: 428220571-0
                            • Opcode ID: 147d019c09a9af705dc36fa9c42910a195f0c039a6163a34ff08c6050dae25ea
                            • Instruction ID: 01675699849cbb69e5fe926c6530acfe474e34ba546407f62845eb3d42fb085d
                            • Opcode Fuzzy Hash: 147d019c09a9af705dc36fa9c42910a195f0c039a6163a34ff08c6050dae25ea
                            • Instruction Fuzzy Hash: 0A513771D04258CFDB10CFA9C880BDDBBB1FF48314F24842AE815AB290DB74A946CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05F1151C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                            Download Yara Rule
                            APIs
                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05F13358
                            Memory Dump Source
                            • Source File: 00000004.00000002.509644127.0000000005F10000.00000040.00000001.sdmp, Offset: 05F10000, based on PE: false
                            Similarity
                            • API ID: Query_
                            • String ID:
                            • API String ID: 428220571-0
                            • Opcode ID: 58535962d11c3dc96b79075e3a73e0b7dca7fc7c5d0d4acaa488592467793e7b
                            • Instruction ID: 0c0dc8707bccb0ac286af6ffe55f75247bd8718d47cfe3490c754a1987475bb5
                            • Opcode Fuzzy Hash: 58535962d11c3dc96b79075e3a73e0b7dca7fc7c5d0d4acaa488592467793e7b
                            • Instruction Fuzzy Hash: C5513571D04258DFDB10DFA9C880BDEBBB5FF48314F14842AE819AB290DB74A946CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0280FD0A
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: c8b8fe7a03b0a32a6e891d44bc4877687e5fe261f74ef3755baa850973e9dfcd
                            • Instruction ID: 8950f4e92fa837d6d20d97d33ffa7b23ad8334f38236f04d625f4ba804f4d568
                            • Opcode Fuzzy Hash: c8b8fe7a03b0a32a6e891d44bc4877687e5fe261f74ef3755baa850973e9dfcd
                            • Instruction Fuzzy Hash: 2341C0B5D003589FDF14CF99C884ADEBBB5FF88314F24822AE919AB250D774A945CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280BDC1, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280BD87
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 8cb496635b66806aed1b4195ed59194e7d8c1d6c5b1ac62c8a038ab57e0757c8
                            • Instruction ID: 9786c62ab38a74b6934bb4162b5940965365909762ad4de9de14ecc08cb6e36d
                            • Opcode Fuzzy Hash: 8cb496635b66806aed1b4195ed59194e7d8c1d6c5b1ac62c8a038ab57e0757c8
                            • Instruction Fuzzy Hash: 98419D78E84344DFEB01DFA1E984BA97BB5FB49702F10862AE9458B3C5C7756942CF10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280BD87
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: ed00ea68e359dcfb82fb9affb675b6078fbfe1ebde27844d02494667058fb33f
                            • Instruction ID: b0f0572ef6a16c7f8a76203bba8b93efaf9095bbed7639701282d9ba4ec18736
                            • Opcode Fuzzy Hash: ed00ea68e359dcfb82fb9affb675b6078fbfe1ebde27844d02494667058fb33f
                            • Instruction Fuzzy Hash: 5321E3B5D012489FDB10CF9AD984ADEFBF4EB48324F14841AE959A3350D378A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280BD87
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: fea351995dfb73c5688ec529461bb04de5651579ce67e7681b0c8889f1d59873
                            • Instruction ID: 1c4aa9b43c6730374cae5ca2208c0d462710ef7c0ca85a376053979a193d52d6
                            • Opcode Fuzzy Hash: fea351995dfb73c5688ec529461bb04de5651579ce67e7681b0c8889f1d59873
                            • Instruction Fuzzy Hash: B621E4B5D002489FDB10CF9AD984ADEFBF4FB48324F14841AE958A3350C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02809849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028096A9,00000800,00000000,00000000), ref: 028098BA
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 86c7268e3bda7ce9b4778535f2e12acd5f1431c4de095994d14f81de9c27351f
                            • Instruction ID: 734a6eebb182915b1287d5e0cc5b75b15de63b4feac12e5d77dc4efc51ba7086
                            • Opcode Fuzzy Hash: 86c7268e3bda7ce9b4778535f2e12acd5f1431c4de095994d14f81de9c27351f
                            • Instruction Fuzzy Hash: 461124B6D002498FDB10CF9AC884BDEBBF4EB48324F04842EE559A7600C374A545CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02808768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,028096A9,00000800,00000000,00000000), ref: 028098BA
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 74874bd93a32baf4bd4a22aa9ff269ff5c7e288c8e62c7c9327a34b0dbfcb510
                            • Instruction ID: 7952200b333dd11d14851a067c8e5f21d71b475d13ab9fd4587cc02c24ead353
                            • Opcode Fuzzy Hash: 74874bd93a32baf4bd4a22aa9ff269ff5c7e288c8e62c7c9327a34b0dbfcb510
                            • Instruction Fuzzy Hash: 3D1103BAD042498FDB10CF9AC884BDEBBF4EB48724F04842EE519A7740C375A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0280962E
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 1f57c60fe0e5850a1e56363055b6fb123ab29ab7183f0d6727c18443ea05ef00
                            • Instruction ID: 7b265db2f451638000937bcd5ee91621907c0ac5ddaff77bd6cae8f377659e2a
                            • Opcode Fuzzy Hash: 1f57c60fe0e5850a1e56363055b6fb123ab29ab7183f0d6727c18443ea05ef00
                            • Instruction Fuzzy Hash: 8111E3B6D002898FCB10CF9AC844BDEFBF4AF88624F14841AD469A7651D374A545CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0280FE9D
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: e87008c7462ca632661a0afb2aa5ad19cb1e747b245b03590cf6501c3164332a
                            • Instruction ID: 3ec1b0714be224de84fe30247c45f0015db4fc7a6ad4c149e8750e3ca281059e
                            • Opcode Fuzzy Hash: e87008c7462ca632661a0afb2aa5ad19cb1e747b245b03590cf6501c3164332a
                            • Instruction Fuzzy Hash: 461133B5D002488FCB20CF99D589BDFBBF4EB88324F10841AE959A7240C374A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0280FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0280FE9D
                            Memory Dump Source
                            • Source File: 00000004.00000002.500926181.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: d027cebf5621c2b2a809ceaeb31489048bbe9cdd1e1828f8bdad50ff29c66b4c
                            • Instruction ID: 8d7ac19e8ce64f7f3d1b731c8457ef5c16a9dd006798ef69b0bc962f369fb328
                            • Opcode Fuzzy Hash: d027cebf5621c2b2a809ceaeb31489048bbe9cdd1e1828f8bdad50ff29c66b4c
                            • Instruction Fuzzy Hash: C81115B59002488FDB10CF99D584BDFBBF8EB48324F10841AE959A7740C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAD3B4, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500466971.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af7939952ca407ef0da52c5cc1591c8f20827bba04d136e4480ada2a6e4700e1
                            • Instruction ID: f3116d294823461c7cd48baebd020b4c687239369734745839c907bf29fb0a28
                            • Opcode Fuzzy Hash: af7939952ca407ef0da52c5cc1591c8f20827bba04d136e4480ada2a6e4700e1
                            • Instruction Fuzzy Hash: 1C2125B1504240DFDB04DF14D8C0F26BB66FB98324F28C569E94A4BA46C376EC46CBB2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAD4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500466971.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c67615cd899b7ef35d08e820be77026c948bf7383f9e1f2447844d705a8e3f81
                            • Instruction ID: e0b2ee5f0b13d4940d16b8c58b80134721c7b2e3638705682a1e48ecede029f2
                            • Opcode Fuzzy Hash: c67615cd899b7ef35d08e820be77026c948bf7383f9e1f2447844d705a8e3f81
                            • Instruction Fuzzy Hash: C52128B1908240DFDB05DF14D8C0B26BF66FB99328F288569D9464B616C336DC46CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0266D01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500668544.000000000266D000.00000040.00000001.sdmp, Offset: 0266D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f641b6aabeb5814b45fde5c7c54e6a803740431e6fb482cf8733e1520a9a7b0d
                            • Instruction ID: b237ccdd10fa2b9c20948c8c6b461e55a37a0cb7b90a312411bd1717b86dc52c
                            • Opcode Fuzzy Hash: f641b6aabeb5814b45fde5c7c54e6a803740431e6fb482cf8733e1520a9a7b0d
                            • Instruction Fuzzy Hash: 1721C2B5608280DFDB14DF14D9C8B36BB65FB88318F24C569E94A4B356C336D847CAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0266D006, Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500668544.000000000266D000.00000040.00000001.sdmp, Offset: 0266D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f54d49aeacdbf3cab3ee0329dfdb28bd6c9c6e7fa3e3917fa9e731a6be4347ad
                            • Instruction ID: c1d0ef20913a58f7e5e058a9b9466d7eb7dafd5b3bb029f408fc581a00dc4429
                            • Opcode Fuzzy Hash: f54d49aeacdbf3cab3ee0329dfdb28bd6c9c6e7fa3e3917fa9e731a6be4347ad
                            • Instruction Fuzzy Hash: 272162755093C08FDB12CF24D594B25BF71EB46214F28C5DAD8498B667C33A984ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAD49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500466971.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction ID: 81cdeffbe48a795897384f4a4218b3e95f905c4def3cb52949abc70fedacd968
                            • Opcode Fuzzy Hash: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction Fuzzy Hash: 0111E676904280CFDF16CF14D5C4B16BF72FB95324F28C6A9D8050B616C336D856CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAD3AF, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.500466971.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction ID: 77a4b646bf7ebe2822f7596c74bb49f7cb36d8d1f50536a8276dee5159710799
                            • Opcode Fuzzy Hash: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction Fuzzy Hash: 59110876504280CFDF15CF10D5C4B16BF72FB99324F28C6A9D8450BA16C336E856CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: dhcpmon.exe PID: 7060 Parent PID: 3292 dhcpmon.exeCOMMON

                            Executed Functions

                            Function 032DE740, Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b27068638c044f43a17b89eb20511eaa3829dec484a7aec03f9cd62675dc996e
                            • Instruction ID: bee634ecbc83baf486367e0d7705d000a018645dca6e8505d17aaf24f2dde6fa
                            • Opcode Fuzzy Hash: b27068638c044f43a17b89eb20511eaa3829dec484a7aec03f9cd62675dc996e
                            • Instruction Fuzzy Hash: DB818CB1C14388AFDF12CFA5C880ADDBFB1EF49310F1A819AE454AB262D7759885CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DC7A0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 7f89c1841e7a51e22e876fdeab4d23c2cc957e44ab67a7b88ffd0c4c2422d7c7
                            • Instruction ID: 384469445048d15d6c383ac34ed4d9c6775f5e2c3f0b9fdf38bbba5eb840831f
                            • Opcode Fuzzy Hash: 7f89c1841e7a51e22e876fdeab4d23c2cc957e44ab67a7b88ffd0c4c2422d7c7
                            • Instruction Fuzzy Hash: 5B714770A10B168FDB24DF2AD054B5ABBF5FF88204F04892DD44ADBA50DB74E885CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DE780, Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50ce859400b72daae82b7ae969b9b7e930bab3e435b3e3e75a614c1b9b31c0eb
                            • Instruction ID: 56adcdff03e93df2327a1db6325fcbb5c59e8c0f51c8299f4735633980f7f63f
                            • Opcode Fuzzy Hash: 50ce859400b72daae82b7ae969b9b7e930bab3e435b3e3e75a614c1b9b31c0eb
                            • Instruction Fuzzy Hash: 777132B1C10249AFDF15CFA5D880ADDBFB1FF48310F19815AE818AB221D731A886DF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DB804, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032DE96A
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 32467813671de0f03b47ed8660c9305f64d7b37e799a57234acb623dcec0346b
                            • Instruction ID: c09dfc1599a6a84e8f6f30532e77a8741476c11adb0ec5e5de44caef93d2f869
                            • Opcode Fuzzy Hash: 32467813671de0f03b47ed8660c9305f64d7b37e799a57234acb623dcec0346b
                            • Instruction Fuzzy Hash: 9C51B0B1D10349DFDB14CF99D884ADEFBB5BF48314F25822AE819AB210D774A885CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032D63B0, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ed1cdae8f740c576865ab7079819eedaa3ea4a1e794c2a1643f88afbd79e996
                            • Instruction ID: 70a3309b499d0b9157bd27bc526d4bf32b299f6817a6b72b8874f5b547290d65
                            • Opcode Fuzzy Hash: 3ed1cdae8f740c576865ab7079819eedaa3ea4a1e794c2a1643f88afbd79e996
                            • Instruction Fuzzy Hash: 72418F718193989FDB02CFADD890ADEBFF4EF1A214F05446AE540E7292D3789D44CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032D6466, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032D7D6E,?,?,?,?,?), ref: 032D7E2F
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: c4fb4788ff9bfba36f8dbde4ba9c7648676a12fb07130364a4b09dd7eaf3bc20
                            • Instruction ID: 525600325295dd241c8485a46710a8a3697fcf105d5e65f3d57df1edadbbb693
                            • Opcode Fuzzy Hash: c4fb4788ff9bfba36f8dbde4ba9c7648676a12fb07130364a4b09dd7eaf3bc20
                            • Instruction Fuzzy Hash: 703126B5914208EFDB10CF99D484AEEFBF8FB48314F14851AE859A3350D378A945CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DEE0B, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,032DEE90,?,?,?,?), ref: 032DEF05
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 33bee34953c7c5274bc4000ee03450365d5d0c1f5d2efd46465c6b1500e16dcd
                            • Instruction ID: 512594aa380784972d32ed597ab4e726890a25676cd1bf619f275aeed37dbf1d
                            • Opcode Fuzzy Hash: 33bee34953c7c5274bc4000ee03450365d5d0c1f5d2efd46465c6b1500e16dcd
                            • Instruction Fuzzy Hash: BC319CB5910349AFDB15DF99C845BAFBBF8FB48364F15841AE405AB300C775A840CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032D6404, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032D7D6E,?,?,?,?,?), ref: 032D7E2F
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 8463a904a23cda5cdee026ce601c78dabd902ecf02e1a3612db386931396bf93
                            • Instruction ID: 02c638fe9448fe142df8ca89baf456942e1b30c75beb200c2425c8fd527f4a97
                            • Opcode Fuzzy Hash: 8463a904a23cda5cdee026ce601c78dabd902ecf02e1a3612db386931396bf93
                            • Instruction Fuzzy Hash: 9E21E6B59002589FDB10CF99D584AEEFBF8FB48314F14841AE955A3310D378A945DFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032D7DA3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032D7D6E,?,?,?,?,?), ref: 032D7E2F
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 608d31de7e083cb999ff92cc702f66b8bfdebae8621184153f8b757e7b2982c6
                            • Instruction ID: 81c94ae490586884c82c953bc7705640f29f581497a3f4552ccdfbe42517c09c
                            • Opcode Fuzzy Hash: 608d31de7e083cb999ff92cc702f66b8bfdebae8621184153f8b757e7b2982c6
                            • Instruction Fuzzy Hash: A221E6B59002489FDB10CF99D484ADEFBF4FB48314F14841AE954A3310D378A945DFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DCC00, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032DCA61,00000800,00000000,00000000), ref: 032DCC72
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: a49d007eb12d42d2184f9098955f3661355f79fa1e6ae35094ebb5d1aba18758
                            • Instruction ID: c0dcf5831e3c82072f6d3d9d1a01957af7b88d8aedae4a442bbcfd91111a0f6b
                            • Opcode Fuzzy Hash: a49d007eb12d42d2184f9098955f3661355f79fa1e6ae35094ebb5d1aba18758
                            • Instruction Fuzzy Hash: EE2144B28003499FDB10CF9AD544ADEFBF4FB88324F14852EE529A7200C375A985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DB6C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032DCA61,00000800,00000000,00000000), ref: 032DCC72
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: f4813940d4700bd75f43a3050784665a00873d6ef4181893aa1899cdf191e085
                            • Instruction ID: 260ce84e5fa6d7e7755649c6443a42492657e6009d6ed632d7fb040af4867cfe
                            • Opcode Fuzzy Hash: f4813940d4700bd75f43a3050784665a00873d6ef4181893aa1899cdf191e085
                            • Instruction Fuzzy Hash: 691126B29043599FDB10CF9AD444BDEFBF4EB48720F14852EE515A7200C375A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DB674, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,032DC7B3), ref: 032DC9E6
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 6f43f64733fa1eccaf5f48ecd849b80edda903c65165e0ca0caf325cdf99aa5f
                            • Instruction ID: cfc35f0a9f4689d56e3f74974009e9990d993def4049da65dd79d42079c73b1b
                            • Opcode Fuzzy Hash: 6f43f64733fa1eccaf5f48ecd849b80edda903c65165e0ca0caf325cdf99aa5f
                            • Instruction Fuzzy Hash: C711F3B29102598BCB10CF9AD444BEEFBF8AB48214F14851AD45AB7300C375A946CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032DB81C, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,032DEE90,?,?,?,?), ref: 032DEF05
                            Memory Dump Source
                            • Source File: 00000008.00000002.300340490.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 847348d1b6b378126c1eef0ab5a6097c20d7005d225616691eab71ca18266cef
                            • Instruction ID: 7e26c0569f0dc35959818ee7c8ffc16dc2d4894f3c373a9a0e054a6e57515fe2
                            • Opcode Fuzzy Hash: 847348d1b6b378126c1eef0ab5a6097c20d7005d225616691eab71ca18266cef
                            • Instruction Fuzzy Hash: 2F01D3B0814349DFDB10DF9AC489BAEBBF8EB48314F158459E855BB340C3B4A984CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: dhcpmon.exe PID: 6232 Parent PID: 7060 dhcpmon.exeCOMMON

                            Executed Functions

                            Function 0307B6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0307B730
                            • GetCurrentThread.KERNEL32 ref: 0307B76D
                            • GetCurrentProcess.KERNEL32 ref: 0307B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0307B803
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: bbe54dedfcbba0ce48e8aebc97e80acba1be97365c2295545f11be8dc50d1324
                            • Instruction ID: c573bb4855bebc7da4323d20ab2d14d2c1329a835034b48a6521b9f28154941b
                            • Opcode Fuzzy Hash: bbe54dedfcbba0ce48e8aebc97e80acba1be97365c2295545f11be8dc50d1324
                            • Instruction Fuzzy Hash: AA5135B0E062888FDB10CFA9D548BDEBBF1BF49314F24845AE049A7350D7746845CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0307B730
                            • GetCurrentThread.KERNEL32 ref: 0307B76D
                            • GetCurrentProcess.KERNEL32 ref: 0307B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0307B803
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: cdfca79322f4284d645d8384cf6143577435397bc9c0d448f830d8da62e38dce
                            • Instruction ID: 47b74781c5b2ac9d3a42c4a836721fd1c0bf962f94dbaf22b2a64398de2551c7
                            • Opcode Fuzzy Hash: cdfca79322f4284d645d8384cf6143577435397bc9c0d448f830d8da62e38dce
                            • Instruction Fuzzy Hash: 955136B0E052498FDB10CFA9D548BDEBBF1BF48314F24845AE019A7350D7746845CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 030793E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0307962E
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 9c26cb185dc8af4e2cd7baa833d713ad588959091dfa67f011c48aca3f03325b
                            • Instruction ID: 353412221778d22b6d6256d9186b9ad1a4c467a0412ba061c7ca2dc98c75c558
                            • Opcode Fuzzy Hash: 9c26cb185dc8af4e2cd7baa833d713ad588959091dfa67f011c48aca3f03325b
                            • Instruction Fuzzy Hash: C0713570A01B058FDB64DF2AD445B9AB7F1FF88214F048A2ED48ADBA50DB34E845CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307FBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0307FD0A
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 4b5a1258890b0e9c9ee29de26ff166ac84d1ebeac1db25bf43b26dc398df71f4
                            • Instruction ID: e9ae2067e82e82c5288b52c8c2f3e9f9c8183e9f01f81105aee71aea96abbefc
                            • Opcode Fuzzy Hash: 4b5a1258890b0e9c9ee29de26ff166ac84d1ebeac1db25bf43b26dc398df71f4
                            • Instruction Fuzzy Hash: FF51C2B1D01349DFDB14CF99C884ADDBBB1FF88314F24862AE815AB210D7749945CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0307FD0A
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 11a26717e4fedc30466e0a556310268d0c9b1372c6929aa61a6f2a56b00361c5
                            • Instruction ID: fcc71466dc052d50062f0e9f4b4ef2ba7e356d027415ffafc878daa2a54e04f4
                            • Opcode Fuzzy Hash: 11a26717e4fedc30466e0a556310268d0c9b1372c6929aa61a6f2a56b00361c5
                            • Instruction Fuzzy Hash: 7E41C1B1D003099FDB14CF99C884ADEBBF5BF88314F24822AE819AB210D774A945CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0307BD87
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 60941e67aa9186d15f55a5f6098818df417557ce1422b4a7bbeb83abffb33836
                            • Instruction ID: 5c1c6b9012735df36f7dec5fce139feb6e5c78b4c5379ca2e9f023e8ce4515f1
                            • Opcode Fuzzy Hash: 60941e67aa9186d15f55a5f6098818df417557ce1422b4a7bbeb83abffb33836
                            • Instruction Fuzzy Hash: EF2105B59012489FDB10CFAAD484ADEBFF4EB49324F14841AE954A7310D374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0307BD87
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 8938aaf8c5fb053f4726c47a25a3f9859d7e702f7bf1c167af600a004da12b17
                            • Instruction ID: 438ccceba80813b4176d272f3ec2096e883aafe410b2f74521864f44fe6587ad
                            • Opcode Fuzzy Hash: 8938aaf8c5fb053f4726c47a25a3f9859d7e702f7bf1c167af600a004da12b17
                            • Instruction Fuzzy Hash: AE21F3B5D012489FDB10CFAAD884ADEFBF8FB48324F14841AE954A3310D378A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 03078768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030796A9,00000800,00000000,00000000), ref: 030798BA
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 5098cb9f6b3610fdc46ea40ee28810f92188a7da080208b51c74d65ccb597552
                            • Instruction ID: 918733373d777929c0412d99b397da6eee19703a8a0eea053bafd76714feee4e
                            • Opcode Fuzzy Hash: 5098cb9f6b3610fdc46ea40ee28810f92188a7da080208b51c74d65ccb597552
                            • Instruction Fuzzy Hash: 211114B6D012498FDB10CF9AC444BDEFBF4EB88324F04842EE559A7600C375A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 03079849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030796A9,00000800,00000000,00000000), ref: 030798BA
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 5d06954222a5ba05f12dbabfed655e05e34b34e04ae39e29b23f9c9bc1ce668b
                            • Instruction ID: 2913c8e685cb0af61202f7005f03a7f57431c0f99153268cdde192be8c3c004a
                            • Opcode Fuzzy Hash: 5d06954222a5ba05f12dbabfed655e05e34b34e04ae39e29b23f9c9bc1ce668b
                            • Instruction Fuzzy Hash: 3F1114B6D002499FDB10CFAAC444BDEFBF4EB89324F04852ED455A7600C375A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 030795C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0307962E
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 97737c55e5e89ec77ba5547e7d418b6ae770829c75878415162174e81de282e2
                            • Instruction ID: f8d47d6cd13ea192934754a3e3e2265c1a3eda2c0bae749f5023f69f312df5f4
                            • Opcode Fuzzy Hash: 97737c55e5e89ec77ba5547e7d418b6ae770829c75878415162174e81de282e2
                            • Instruction Fuzzy Hash: 0B11E0B6D012498FDB20DF9AC444BDEFBF4AB88224F14851AD459A7610C378A546CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307FE38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0307FE9D
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: f694471be59c78a0bebe9ac879d3a11ff940e58a78f4c9b04cca389970f15adc
                            • Instruction ID: 5010f072be03bc1c0eeb44ea43723892a1389cf80766005c0fde3a73edf8f30d
                            • Opcode Fuzzy Hash: f694471be59c78a0bebe9ac879d3a11ff940e58a78f4c9b04cca389970f15adc
                            • Instruction Fuzzy Hash: 331100B59002498FDB10CF9AD488BDEBBF8EB88324F14851AE955A7701C374A944CFA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0307FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0307FE9D
                            Memory Dump Source
                            • Source File: 00000012.00000002.322211021.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: b42ee1a43b320ba3547cba22b37320fa561b37876b719d105548768966bddfb7
                            • Instruction ID: 42e13684c6ba2621a17af804a8cfd9a9750b6c0bbeefb2f44a359ea093457359
                            • Opcode Fuzzy Hash: b42ee1a43b320ba3547cba22b37320fa561b37876b719d105548768966bddfb7
                            • Instruction Fuzzy Hash: 521112B59002498FDB10CF9AD488BDEFBF8EB88324F14841AE855A7300C374A944CFA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0129D4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000012.00000002.321787567.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0be9ea3c6d36773c5d97366dad1fe6755699c3a3ce9f9b311967fd2bd6120e0d
                            • Instruction ID: f66fb0879a92db0f0b15f8aeed7ae888cb6ab26c562b1d1edecc70feb4add415
                            • Opcode Fuzzy Hash: 0be9ea3c6d36773c5d97366dad1fe6755699c3a3ce9f9b311967fd2bd6120e0d
                            • Instruction Fuzzy Hash: 562136B1514244DFDF05DF9CE8C0B66BF65FB88328F248568DA090A217C336D806DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012BD01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000012.00000002.321815875.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f02efedb84335083d28ccc6c1f95c71b3a05b991cda7e7489ba073c4bff3cd7
                            • Instruction ID: 0735635f4a7b88e11549b765dd39cb42e0c5d17443c9caedb42bab5b9c7a75ac
                            • Opcode Fuzzy Hash: 9f02efedb84335083d28ccc6c1f95c71b3a05b991cda7e7489ba073c4bff3cd7
                            • Instruction Fuzzy Hash: DA216775618248DFDB14CF58D4C0BA6BB61FB88398F24C96DD9094B242C336D807CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012BD006, Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000012.00000002.321815875.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01b9dbe464b476e3be1cad6f48a1961ed897bf85ec1f50583b4e803165709f57
                            • Instruction ID: 9956465b6aaddba57129ad5bdd6967fba660381e20eeee4fe3ca1b7497233cd1
                            • Opcode Fuzzy Hash: 01b9dbe464b476e3be1cad6f48a1961ed897bf85ec1f50583b4e803165709f57
                            • Instruction Fuzzy Hash: 6621B0714083849FCB02CF24D9D4B51BF71EB46354F28C5DAD8498B267C33A980ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0129D49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000012.00000002.321787567.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction ID: 61067814f974c55b3d47baa1602bd429a2049d2fb20e80f2e0a11bca14b34cc2
                            • Opcode Fuzzy Hash: cd9fccb4d1f700996e96346b7a0ce1f317b0c695758ddfa9f0b4c227b16085db
                            • Instruction Fuzzy Hash: B7119D76904284CFDF16CF58E5C4B16BF71FB84324F2486A9D9050A616C336D456DBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions