Play interactive tour

Edit tour

Windows Analysis Report HUMVC_039873637892OIHGDHJZ.exe

Overview

General Information

Sample Name:	HUMVC_039873637892OIHGDHJZ.exe
Analysis ID:	451696
MD5:	16d9ae1d9213807e9545f807cade8882
SHA1:	4b51f85a5667469a312e56b467a6535604ac9a15
SHA256:	faa8dd132b5dc23c12bb77efcba9373f9881096ea131b02671f1c59b8b065723
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

HUMVC_039873637892OIHGDHJZ.exe (PID: 2476 cmdline: 'C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe' MD5: 16D9AE1D9213807E9545F807CADE8882)

schtasks.exe (PID: 4744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5028 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 1156 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 5956 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)

schtasks.exe (PID: 5924 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4840 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp41B6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 2588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6136 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3468 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "909dcd33-e0d7-4bd0-87b2-b7fd2611", "Group": "1116", "Domain1": "1116.hopto.org", "Domain2": "", "Port": 1116, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35b5:$a: NanoCore 0x360e:$a: NanoCore 0x364b:$a: NanoCore 0x36c4:$a: NanoCore 0x16d6f:$a: NanoCore 0x16d84:$a: NanoCore 0x16db9:$a: NanoCore 0x2fd53:$a: NanoCore 0x2fd68:$a: NanoCore 0x2fd9d:$a: NanoCore 0x3617:$b: ClientPlugin 0x3654:$b: ClientPlugin 0x3f52:$b: ClientPlugin 0x3f5f:$b: ClientPlugin 0x16b2b:$b: ClientPlugin 0x16b46:$b: ClientPlugin 0x16b76:$b: ClientPlugin 0x16d8d:$b: ClientPlugin 0x16dc2:$b: ClientPlugin 0x2fb0f:$b: ClientPlugin 0x2fb2a:$b: ClientPlugin
00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.MSBuild.exe.60c0000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.MSBuild.exe.60c0000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.MSBuild.exe.60c0000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.60c4629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.MSBuild.exe.60c4629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.MSBuild.exe.60c4629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.52b0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.MSBuild.exe.52b0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.MSBuild.exe.60c0000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.MSBuild.exe.60c0000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.MSBuild.exe.60c0000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.3c0060c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.MSBuild.exe.3c0060c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.MSBuild.exe.3c0060c.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.3c04c35.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
5.2.MSBuild.exe.3c04c35.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
5.2.MSBuild.exe.3c04c35.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.MSBuild.exe.3c0060c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
5.2.MSBuild.exe.3c0060c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
5.2.MSBuild.exe.3c0060c.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.2bea12c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.MSBuild.exe.2bea12c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.MSBuild.exe.3bfb7d6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
5.2.MSBuild.exe.3bfb7d6.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
5.2.MSBuild.exe.3bfb7d6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.3bfb7d6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
Click to see the 25 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5956, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe' , ParentImage: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe, ParentProcessId: 2476, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5028

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "909dcd33-e0d7-4bd0-87b2-b7fd2611", "Group": "1116", "Domain1": "1116.hopto.org", "Domain2": "", "Port": 1116, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: 1116.hopto.org	Virustotal: Detection: 6%			Perma Link
Source: 1116.hopto.org	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: HUMVC_039873637892OIHGDHJZ.exe

Virustotal: Detection: 52%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SyTPTBF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: HUMVC_039873637892OIHGDHJZ.exe

Joe Sandbox ML: detected

Source: 5.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.MSBuild.exe.60c0000.10.unpack	Avira: Label: TR/NanoCore.fadte

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.5.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 1116.hopto.org

Source: global traffic

TCP traffic: 192.168.2.3:49701 -> 185.140.53.9:1116

Source: Joe Sandbox View

IP Address: 185.140.53.9 185.140.53.9

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.108.226
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.114
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.108.226
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.108.226
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: unknown

DNS traffic detected: queries for: 1116.hopto.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443

Source: MSBuild.exe, 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.52b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.2bea12c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0110E471	5_2_0110E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0110E480	5_2_0110E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0110BBD4	5_2_0110BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_06590040	5_2_06590040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00EF5CF9	9_2_00EF5CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00EF2148	9_2_00EF2148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00EF4A20	9_2_00EF4A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00EF2133	9_2_00EF2133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00EF1A40	9_2_00EF1A40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_01222148	12_2_01222148
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_01224580	12_2_01224580
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_01225858	12_2_01225858
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_01221A40	12_2_01221A40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_01222138	12_2_01222138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02482370	15_2_02482370
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_024818C0	15_2_024818C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_024851F9	15_2_024851F9

Source: HUMVC_039873637892OIHGDHJZ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SyTPTBF.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: HUMVC_039873637892OIHGDHJZ.exe, 00000000.00000000.202942274.0000000000234000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsByVal.exe* vs HUMVC_039873637892OIHGDHJZ.exe
Source: HUMVC_039873637892OIHGDHJZ.exe	Binary or memory string: OriginalFilenameIsByVal.exe* vs HUMVC_039873637892OIHGDHJZ.exe

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.52b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.52b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.2bea12c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.2bea12c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: HUMVC_039873637892OIHGDHJZ.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SyTPTBF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: dhcpmon.exe.5.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: dhcpmon.exe.5.dr, Microsoft.Build/Shared/TaskLoader.cs	Task registration methods: 'CreateTask'
Source: dhcpmon.exe.5.dr, Microsoft.Build/BackEnd/TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: dhcpmon.exe.5.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.cs	Task registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.5.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.5.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: dhcpmon.exe.5.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: dhcpmon.exe.5.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.5.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: dhcpmon.exe, 0000000F.00000002.268099517.0000000002581000.00000004.00000001.sdmp	Binary or memory string: l)C:\Program Files (x86)\DHCP Monitor\*.sln
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dhcpmon.exe, dhcpmon.exe.5.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: dhcpmon.exe, 0000000F.00000002.268099517.0000000002581000.00000004.00000001.sdmp	Binary or memory string: *.slnP#
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: dhcpmon.exe, dhcpmon.exe.5.dr	Binary or memory string: *.sln
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: /ignoreprojectextensions:.sln
Source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/14@12/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

File created: C:\Users\user\AppData\Roaming\SyTPTBF.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\cIfVwHYARTkXHr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB2F.tmp

Jump to behavior

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HUMVC_039873637892OIHGDHJZ.exe

Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

File read: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe 'C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe'
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp41B6.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp41B6.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HUMVC_039873637892OIHGDHJZ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.5.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 0000000C.00000000.255138652.0000000000922000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.264992405.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.93103784286
Source: initial sample	Static PE information: section name: .text entropy: 7.93103784286

Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	File created: C:\Users\user\AppData\Roaming\SyTPTBF.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7816	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 830	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe TID: 3008	Thread sleep time: -49114s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe TID: 1200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1092	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Thread delayed: delay time: 49114	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000005.00000002.479232158.0000000006960000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000005.00000002.479232158.0000000006960000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000005.00000002.479232158.0000000006960000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000005.00000002.479232158.0000000006960000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: dhcpmon.exe.5.dr, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 12.0.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 12.2.dhcpmon.exe.920000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 15.0.dhcpmon.exe.120000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9AB008	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp41B6.tmp'	Jump to behavior

Source: MSBuild.exe, 00000005.00000002.475672739.0000000002F2C000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000005.00000002.472901472.00000000014B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000005.00000002.472901472.00000000014B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000005.00000002.478687375.0000000005FAB000.00000004.00000001.sdmp	Binary or memory string: Program Manager 4Lln
Source: MSBuild.exe, 00000005.00000002.475672739.0000000002F2C000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: MSBuild.exe, 00000005.00000002.472901472.00000000014B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: MSBuild.exe, 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.60c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c04c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3c0060c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.3bfb7d6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job11	Scheduled Task/Job11	Process Injection212	Masquerading2	Input Capture11	Security Software Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Scheduled Task/Job11	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HUMVC_039873637892OIHGDHJZ.exe	53%	Virustotal		Browse
HUMVC_039873637892OIHGDHJZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\SyTPTBF.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Virustotal	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
5.2.MSBuild.exe.60c0000.10.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
1116.hopto.org	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
1116.hopto.org	7%	Virustotal		Browse
1116.hopto.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
1116.hopto.org	185.140.53.9	true	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
1116.hopto.org	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.9	1116.hopto.org	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451696
Start date:	21.07.2021
Start time:	03:50:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HUMVC_039873637892OIHGDHJZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/14@12/1
EGA Information:	Successful, ratio: 20%
HDC Information:	Successful, ratio: 5.4% (good quality ratio 4.7%) Quality average: 38.6% Quality standard deviation: 20.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 108 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 40.88.32.150, 23.211.4.86 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net Execution Graph export aborted for target MSBuild.exe, PID 2588 because it is empty Execution Graph export aborted for target dhcpmon.exe, PID 3468 because it is empty Execution Graph export aborted for target dhcpmon.exe, PID 6136 because it is empty Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:51:39	API Interceptor	2x Sleep call for process: HUMVC_039873637892OIHGDHJZ.exe modified
03:51:45	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
03:51:46	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" s>$(Arg0)
03:51:46	API Interceptor	920x Sleep call for process: MSBuild.exe modified
03:51:48	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.9	CVhssiltQ9.exe	Get hash	malicious	Browse
	AWQ#U007e0007655678TH.exe	Get hash	malicious	Browse
	Ubn_03030387356383-tg.exe	Get hash	malicious	Browse
	Urgent RFQAP65425652032421,pdf.exe	Get hash	malicious	Browse
	PCT0002982765627827BC.exe	Get hash	malicious	Browse
	nXa6P8N8MS.exe	Get hash	malicious	Browse
	__RFQAP65425652032421_pdf.exe	Get hash	malicious	Browse
	Urgence RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse
	ANS_309487487_#049844874.exe	Get hash	malicious	Browse
	t5R60D503x.exe	Get hash	malicious	Browse
	GT_0397337_03987638BNG.exe	Get hash	malicious	Browse
	1PH37n4Gva.exe	Get hash	malicious	Browse
	malwa.exe	Get hash	malicious	Browse
	HDF_39837635_0398376HJD.exe	Get hash	malicious	Browse
	E0029876556_209876689.exe	Get hash	malicious	Browse
	BGD_03987365_0398736DSC.exe	Get hash	malicious	Browse
	DHL_AWB #9855452108.exe	Get hash	malicious	Browse
	Simo_Inquiry_FOB_Order_9820_xlsx.exe	Get hash	malicious	Browse
	Summer_richiesta_di_preventivo_070820.exe	Get hash	malicious	Browse
	RF172474228ES.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
1116.hopto.org	AWQ#U007e0007655678TH.exe	Get hash	malicious	Browse	185.140.53.9
1116.hopto.org	Ubn_03030387356383-tg.exe	Get hash	malicious	Browse	185.140.53.9

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Solicite ER4101317594762443T51,pdf.exe	Get hash	malicious	Browse	185.140.53.11
	documentos de env#U00edo 20 de julio de 2021,pdf.e.exe	Get hash	malicious	Browse	185.140.53.11
	ORDER TSA-A090621B.exe	Get hash	malicious	Browse	185.140.53.253
	RFQ 10 UNIT.exe	Get hash	malicious	Browse	185.140.53.253
	A2CGhuioKe.exe	Get hash	malicious	Browse	185.244.30.28
	0kEuVjiCbh.exe	Get hash	malicious	Browse	185.244.30.28
	RFQ_Order WT013 - A11197322,pdf.exe	Get hash	malicious	Browse	185.244.30.18
	ORDER.exe	Get hash	malicious	Browse	185.140.53.132
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	Browse	185.244.30.18
	Img 673t5718737.exe	Get hash	malicious	Browse	91.193.75.202
	Parts_Enquiry_450kr6CRT.vbs	Get hash	malicious	Browse	185.140.53.169
	ltemsreceipt975432907.exe	Get hash	malicious	Browse	185.244.30.19
	H194 #U5146#U57fa - Payment.exe	Get hash	malicious	Browse	185.140.53.135
	Parts-Enquiry_OYU08W0VCWRDLPA.vbs	Get hash	malicious	Browse	185.140.53.169
	OneDrive.exe	Get hash	malicious	Browse	185.140.53.194
	CVhssiltQ9.exe	Get hash	malicious	Browse	185.140.53.9
	rz89FRwKvB.exe	Get hash	malicious	Browse	185.244.30.92
	doc030WA0004-55YH701-75IMG0012.exe	Get hash	malicious	Browse	185.140.53.230
	Request For Quotation.xlsx	Get hash	malicious	Browse	185.140.53.154
	CV CREDENTIALS.exe	Get hash	malicious	Browse	185.140.53.8

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	HSBC Swift.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	Contract05072157393.exe	Get hash	malicious	Browse
	19495C90691E8B6EEF5D55D50B9D76AE6CEB5629D6C08.exe	Get hash	malicious	Browse
	PO# 6042089404900 & PAYMENT DETAILSpdf.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	Quotation Price - Double R Trading b.v.exe	Get hash	malicious	Browse
	QTN TECHN 80654.exe	Get hash	malicious	Browse
	Nizi International S.A. #New Order.exe	Get hash	malicious	Browse
	DHL Shipment Documents.exe	Get hash	malicious	Browse
	27bd034c36964c455e2b2ad6b264561f.exe	Get hash	malicious	Browse
	quote #2063 almaco.exe	Get hash	malicious	Browse
	ConsoleSniffer v4.1 installer.exe	Get hash	malicious	Browse
	jtH33Uljkz.exe	Get hash	malicious	Browse
	quote #60123.exe	Get hash	malicious	Browse
	4Ln2OMmPj79MMLB.exe	Get hash	malicious	Browse
	EaQJs1GILVylIiG.exe	Get hash	malicious	Browse
	Quote-TSL-1037174_4810.exe	Get hash	malicious	Browse
	Quotation HT210525 IV.exe	Get hash	malicious	Browse
	xtxr8lHa5F.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	261728
Entropy (8bit):	6.1750840449797675
Encrypted:	false
SSDEEP:	3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
MD5:	D621FD77BD585874F9686D3A76462EF1
SHA1:	ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
SHA-256:	2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
SHA-512:	2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HSBC Swift.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse Filename: Contract05072157393.exe, Detection: malicious, Browse Filename: 19495C90691E8B6EEF5D55D50B9D76AE6CEB5629D6C08.exe, Detection: malicious, Browse Filename: PO# 6042089404900 & PAYMENT DETAILSpdf.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: Quotation Price - Double R Trading b.v.exe, Detection: malicious, Browse Filename: QTN TECHN 80654.exe, Detection: malicious, Browse Filename: Nizi International S.A. #New Order.exe, Detection: malicious, Browse Filename: DHL Shipment Documents.exe, Detection: malicious, Browse Filename: 27bd034c36964c455e2b2ad6b264561f.exe, Detection: malicious, Browse Filename: quote #2063 almaco.exe, Detection: malicious, Browse Filename: ConsoleSniffer v4.1 installer.exe, Detection: malicious, Browse Filename: jtH33Uljkz.exe, Detection: malicious, Browse Filename: quote #60123.exe, Detection: malicious, Browse Filename: 4Ln2OMmPj79MMLB.exe, Detection: malicious, Browse Filename: EaQJs1GILVylIiG.exe, Detection: malicious, Browse Filename: Quote-TSL-1037174_4810.exe, Detection: malicious, Browse Filename: Quotation HT210525 IV.exe, Detection: malicious, Browse Filename: xtxr8lHa5F.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..\|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................\|..........................................{.......v.(=....r...p({...-..+..}........0..%........(....-......(z.....&..}..............................0..5........(....-...-.r+..ps>...z.....i(z.....&..}......................%......>....(?...(....N..(@....oA...(....:...(B...(....:...(C...(....*....(........0..G........(....,....(....-...}......r...p(x...&.(v.....}......&..}....................7.......0..f........-.r7..ps>...z .....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HUMVC_039873637892OIHGDHJZ.exe.log Download File
Process:	C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.356220854328477
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
MD5:	486580834B084C92AE1F3866166C9C34
SHA1:	C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
SHA-256:	65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
SHA-512:	2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1037
Entropy (8bit):	5.371216502395632
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvEHxD0
MD5:	C7F28B87C2CAD111D929CB9A0FF822F8
SHA1:	C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
SHA-256:	D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
SHA-512:	E0F35874E02AB672CFF0553A0DA0864DAB14C05733D06395E4D0C9CDFC6F445E940310F8D01E3E1B28895F636DFBC1F510E103D1C46818400BA4E7371D8F254D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.137611098420233
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0moxtn:cbk4oL600QydbQxIYODOLedq3Zoj
MD5:	3E2B26ED8B75AE83A269595180E84EF6
SHA1:	D30A0335FCCE406BCA8BA5764288235E6192F608
SHA-256:	108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
SHA-512:	B6981C68FCB886CC8379A068B96931B9D4F5CC5AA9BDC467E36C4168FE6C5273A2A84D8850B12C11703EC03AC6B1F1950D1E669EFCB59FC2402CE4BBA9DC03D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp41B6.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpB2F.tmp Download File
Process:	C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.187159770137202
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKByOtn:cbh47TlNQ//rydbz9I3YODOLNdq3wo
MD5:	33A5B9A10C2EB765DBFD095B9F34244D
SHA1:	65BAF3766C049F7F4D2525867E74E5D490C8CC6F
SHA-256:	26F4B80815BE68CDA7C47F99C89E52D509533D0648D1E95C4823BE841AF2E8E4
SHA-512:	35DDF8D89AF209C72E6DD13C00F16A50E7B6B2E9F6C761BF6E7E552F571DC9FC1AB1D23875F8B4D309ED536DBBC9E64E352D593F333CB0ABC58AD5DFCE1FA76E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:sSn:sSn
MD5:	7C7EF8E06D5642E2974421A5732A770B
SHA1:	3D567AB4CFE7FDAECF98CFF1A1BF2227982D917B
SHA-256:	923F6E34A9D3EE3B3844B8D40A589E4A9CDEE904ACEB887407F91EAF6AAA2728
SHA-512:	AC83D3944B28EA2F7EC8DD6EF1B3E8DB9C201C63752F550F5D55BDEC731432A1F4DC2F91C492EB28476595C62174D3A647F6698C7FAA6117A77EDEE1455956BE
Malicious:	true
Preview:	....5L.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.887726803973036
Encrypted:	false
SSDEEP:	3:oMty8WddSJ8:oMLW6C
MD5:	6ECAFC0490DAB08E4A288E0042B6B613
SHA1:	4A4529907588505FC65CC9933980CFE6E576B3D6
SHA-256:	DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
SHA-512:	7DA2B02627A36C8199814C250A1FBD61A9C18E098F8D691C11D75044E7F51DBD52C31EC2E1EA8CDEE5077ADCCB8CD247266F191292DB661FE7EA1B613FC646F8
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\user\AppData\Roaming\SyTPTBF.exe Download File
Process:	C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	820224
Entropy (8bit):	7.6081081994974
Encrypted:	false
SSDEEP:	12288:zp7n+TYEvTLv199MK8UKookUSWc4sZX80h5KxhKOUTBWJGpcc3:Bn+vHVMNBkUSugM6ihZuGGx3
MD5:	16D9AE1D9213807E9545F807CADE8882
SHA1:	4B51F85A5667469A312E56B467A6535604AC9A15
SHA-256:	FAA8DD132B5DC23C12BB77EFCBA9373F9881096EA131B02671F1C59B8B065723
SHA-512:	D5BA8E4F9BC4553CA80842E433EC1CD387E6F71B344C6568C77B952AA55850CE438AB2F56B7C981BBF572472A939E978E44366EBD4AD1C2F918F1855F48B2549
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.`................................ ... ....@.. ....................................@.....................................W....@..,.................... ....................................................... ............... ..H............text...0.... ...................... ..`.reloc....... ......................@..B.rsrc...,....@......................@..@........................H.......<....h......K.......\|...........................................z.(......}.....(....o ...}.........0...........{......E............8...Z...u..................}..... ].4S}......}.......}..... ..Q.}......}.......}......{.... Km.a}......}.......}..... ,...}......}.......}......{.... ..=.a}......}.......}..... ....}......}.......}..... "G.R}......}.......}........{.....s!...z.2.{.....[.......0..<........{......3..{....(....o ...3...}......+..s.......{....}..

C:\Users\user\AppData\Roaming\SyTPTBF.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.943030742860529
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
MD5:	6A9888952541A41F033EB114C24DC902
SHA1:	41903D7C8F31013C44572E09D97B9AAFBBCE77E6
SHA-256:	41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
SHA-512:	E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
Malicious:	false
Preview:	Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6081081994974
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	HUMVC_039873637892OIHGDHJZ.exe
File size:	820224
MD5:	16d9ae1d9213807e9545f807cade8882
SHA1:	4b51f85a5667469a312e56b467a6535604ac9a15
SHA256:	faa8dd132b5dc23c12bb77efcba9373f9881096ea131b02671f1c59b8b065723
SHA512:	d5ba8e4f9bc4553ca80842e433ec1cd387e6f71b344c6568c77b952aa55850ce438ab2f56b7c981bbf572472a939e978e44366ebd4ad1c2f918f1855f48b2549
SSDEEP:	12288:zp7n+TYEvTLv199MK8UKookUSWc4sZX80h5KxhKOUTBWJGpcc3:Bn+vHVMNBkUSugM6ihZuGGx3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.`............................*.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	74e4d4d4d4d4d4d4

Static PE Info

General
Entrypoint:	0x4a1d2a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F14FC2 [Fri Jul 16 09:22:10 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1cd0	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x2802c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9fd30	0x9fe00	False	0.942586676603	data	7.93103784286	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x2802c	0x28200	False	0.0990496008567	data	4.85373961661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa4280	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb4aa8	0x94a8	data
RT_ICON	0xbdf50	0x5488	data
RT_ICON	0xc33d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 255, next used block 4294905600
RT_ICON	0xc7600	0x25a8	data
RT_ICON	0xc9ba8	0x10a8	data
RT_ICON	0xcac50	0x988	data
RT_ICON	0xcb5d8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xcba40	0x76	data
RT_VERSION	0xcbab8	0x3c0	data
RT_MANIFEST	0xcbe78	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Computer/Spiele-Info.net 2013
Assembly Version	1.0.1.0
InternalName	IsByVal.exe
FileVersion	1.3.1.0
CompanyName	Computer/Spiele-Info.net
LegalTrademarks	Computer/Spiele-Info.net
Comments	2D-GameEngine by 3r0rXx
ProductName	VMML
ProductVersion	1.3.1.0
FileDescription	VMML
OriginalFilename	IsByVal.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2021 03:51:19.233501911 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.234373093 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.271106958 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.271143913 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.271151066 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.271322012 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.271373987 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.271395922 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.271469116 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.271497011 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.308978081 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309020996 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309041977 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309060097 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309111118 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309143066 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309169054 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309254885 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309262991 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.309293985 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309335947 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.309372902 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.309400082 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.309417009 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.309422016 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346513033 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346568108 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346584082 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346606970 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346630096 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346652985 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346674919 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346689939 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346714020 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346827984 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:19.346841097 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.346874952 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.398603916 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:19.398838997 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205092907 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205236912 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205301046 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205355883 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205410004 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205445051 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205473900 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205502987 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205524921 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.205543995 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.242403984 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.242537975 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.242563009 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.244882107 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.244908094 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245271921 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245301962 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245328903 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245345116 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245372057 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245388031 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245421886 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245452881 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245477915 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245502949 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245527983 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.245551109 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246146917 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246176004 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246195078 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246221066 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246237993 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246263981 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246289968 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246315002 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246443033 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.246579885 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246623039 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246649027 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246675014 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246700048 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.246831894 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:24.300967932 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:51:24.301260948 CEST	49682	443	192.168.2.3	204.79.197.200
Jul 21, 2021 03:51:34.450155020 CEST	49678	80	192.168.2.3	173.222.108.226
Jul 21, 2021 03:51:36.473674059 CEST	443	50257	151.101.2.114	192.168.2.3
Jul 21, 2021 03:51:36.473741055 CEST	443	50257	151.101.2.114	192.168.2.3
Jul 21, 2021 03:51:36.473773956 CEST	50257	443	192.168.2.3	151.101.2.114
Jul 21, 2021 03:51:36.473887920 CEST	50257	443	192.168.2.3	151.101.2.114
Jul 21, 2021 03:51:48.322818041 CEST	49701	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:48.375850916 CEST	1116	49701	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:48.886310101 CEST	49701	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:48.942424059 CEST	1116	49701	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:49.448796988 CEST	49701	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:49.501940012 CEST	1116	49701	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:53.702678919 CEST	49704	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:53.756314039 CEST	1116	49704	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:54.260554075 CEST	49704	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:54.314256907 CEST	1116	49704	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:54.823026896 CEST	49704	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:54.878806114 CEST	1116	49704	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:59.218734026 CEST	49706	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:59.272022009 CEST	1116	49706	185.140.53.9	192.168.2.3
Jul 21, 2021 03:51:59.776654959 CEST	49706	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:51:59.830319881 CEST	1116	49706	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:00.339243889 CEST	49706	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:00.395699978 CEST	1116	49706	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:04.403289080 CEST	49707	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:04.457029104 CEST	1116	49707	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:04.964509010 CEST	49707	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:05.017554998 CEST	1116	49707	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:05.527177095 CEST	49707	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:05.757275105 CEST	1116	49707	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:09.765444040 CEST	49708	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:09.819087982 CEST	1116	49708	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:10.324333906 CEST	49708	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:10.378158092 CEST	1116	49708	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:10.887079000 CEST	49708	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:10.940958023 CEST	1116	49708	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:13.075150013 CEST	49679	80	192.168.2.3	173.222.108.226
Jul 21, 2021 03:52:13.118208885 CEST	80	49679	173.222.108.226	192.168.2.3
Jul 21, 2021 03:52:13.118288040 CEST	49679	80	192.168.2.3	173.222.108.226
Jul 21, 2021 03:52:14.951047897 CEST	49709	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:15.003828049 CEST	1116	49709	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:15.512401104 CEST	49709	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:15.565504074 CEST	1116	49709	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:16.074815035 CEST	49709	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:16.127708912 CEST	1116	49709	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:16.444278955 CEST	80	49683	93.184.220.29	192.168.2.3
Jul 21, 2021 03:52:16.445300102 CEST	49683	80	192.168.2.3	93.184.220.29
Jul 21, 2021 03:52:20.236483097 CEST	49710	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:20.289865017 CEST	1116	49710	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:20.794179916 CEST	49710	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:20.847435951 CEST	1116	49710	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:21.356600046 CEST	49710	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:21.409883976 CEST	1116	49710	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:25.522927046 CEST	49711	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:25.576818943 CEST	1116	49711	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:26.091382027 CEST	49711	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:26.144032955 CEST	1116	49711	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:26.654033899 CEST	49711	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:26.708184958 CEST	1116	49711	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:30.816843033 CEST	49712	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:30.869954109 CEST	1116	49712	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:31.373089075 CEST	49712	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:31.426110029 CEST	1116	49712	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:31.935569048 CEST	49712	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:31.990020990 CEST	1116	49712	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:35.999881029 CEST	49713	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:36.083013058 CEST	1116	49713	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:36.592308044 CEST	49713	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:36.645148993 CEST	1116	49713	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:37.154917955 CEST	49713	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:37.207767010 CEST	1116	49713	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:41.218992949 CEST	49714	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:41.272176981 CEST	1116	49714	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:41.780347109 CEST	49714	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:41.834964037 CEST	1116	49714	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:42.342744112 CEST	49714	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:42.396301031 CEST	1116	49714	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:46.408143997 CEST	49715	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:46.461091995 CEST	1116	49715	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:46.968095064 CEST	49715	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:47.021020889 CEST	1116	49715	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:47.530733109 CEST	49715	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:47.584923983 CEST	1116	49715	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:51.757867098 CEST	49716	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:51.811309099 CEST	1116	49716	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:52.312238932 CEST	49716	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:52.367443085 CEST	1116	49716	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:52.874941111 CEST	49716	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:52.928306103 CEST	1116	49716	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:57.033917904 CEST	49717	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:57.090812922 CEST	1116	49717	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:57.594127893 CEST	49717	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:57.647770882 CEST	1116	49717	185.140.53.9	192.168.2.3
Jul 21, 2021 03:52:58.156541109 CEST	49717	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:52:58.210458994 CEST	1116	49717	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:02.309392929 CEST	49718	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:02.362545013 CEST	1116	49718	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:02.875725985 CEST	49718	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:02.929169893 CEST	1116	49718	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:03.438215017 CEST	49718	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:03.491142988 CEST	1116	49718	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:07.503067017 CEST	49719	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:07.559045076 CEST	1116	49719	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:08.063765049 CEST	49719	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:08.118566036 CEST	1116	49719	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:08.626286983 CEST	49719	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:08.680763960 CEST	1116	49719	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:12.690285921 CEST	49720	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:12.745004892 CEST	1116	49720	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:13.251724005 CEST	49720	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:13.304702997 CEST	1116	49720	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:13.814275026 CEST	49720	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:13.867314100 CEST	1116	49720	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:17.878226995 CEST	49721	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:17.884282112 CEST	80	49683	93.184.220.29	192.168.2.3
Jul 21, 2021 03:53:17.884340048 CEST	49683	80	192.168.2.3	93.184.220.29
Jul 21, 2021 03:53:17.932266951 CEST	1116	49721	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:18.439481974 CEST	49721	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:18.492839098 CEST	1116	49721	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:19.002253056 CEST	49721	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:19.055798054 CEST	1116	49721	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:23.166569948 CEST	49722	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:23.235389948 CEST	1116	49722	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:23.736860037 CEST	49722	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:23.793011904 CEST	1116	49722	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:24.299511909 CEST	49722	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:24.352535963 CEST	1116	49722	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:28.279792070 CEST	443	49682	204.79.197.200	192.168.2.3
Jul 21, 2021 03:53:28.438749075 CEST	49723	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:28.491972923 CEST	1116	49723	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:29.002847910 CEST	49723	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:29.055430889 CEST	1116	49723	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:29.565398932 CEST	49723	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:29.619949102 CEST	1116	49723	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:30.024487019 CEST	80	49683	93.184.220.29	192.168.2.3
Jul 21, 2021 03:53:30.024947882 CEST	49683	80	192.168.2.3	93.184.220.29
Jul 21, 2021 03:53:33.689836025 CEST	49724	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:33.742860079 CEST	1116	49724	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:34.253382921 CEST	49724	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:34.307046890 CEST	1116	49724	185.140.53.9	192.168.2.3
Jul 21, 2021 03:53:34.815907001 CEST	49724	1116	192.168.2.3	185.140.53.9
Jul 21, 2021 03:53:34.869194031 CEST	1116	49724	185.140.53.9	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2021 03:51:18.202467918 CEST	59353	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:18.252687931 CEST	53	59353	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:20.022797108 CEST	52238	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:20.080991030 CEST	53	52238	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:20.802751064 CEST	49873	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:20.863364935 CEST	53	49873	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:21.724936008 CEST	53196	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:21.775227070 CEST	53	53196	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:22.665776014 CEST	56777	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:22.726191044 CEST	53	56777	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:23.819473982 CEST	58643	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:23.877937078 CEST	53	58643	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:25.130240917 CEST	60985	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:25.182157040 CEST	53	60985	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:26.220266104 CEST	50200	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:26.270309925 CEST	53	50200	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:27.064694881 CEST	51281	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:27.114361048 CEST	53	51281	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:28.961289883 CEST	49199	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:29.019694090 CEST	53	49199	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:30.281435966 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:30.336317062 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:31.129154921 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:31.189815998 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:32.000730038 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:32.073991060 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:32.818979025 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:32.879477024 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:33.637486935 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:33.704668045 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:48.239238024 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:48.298796892 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:53.640549898 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:53.699945927 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:53.943465948 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:54.048023939 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 21, 2021 03:51:59.157094955 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:51:59.217750072 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 21, 2021 03:52:20.173218966 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:52:20.233788967 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 21, 2021 03:52:25.452625036 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:52:25.510504961 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 21, 2021 03:52:30.749924898 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:52:30.810293913 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 21, 2021 03:52:51.693329096 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:52:51.755877018 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 21, 2021 03:52:56.970959902 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:52:57.030994892 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 21, 2021 03:53:02.248502970 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:53:02.307182074 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 21, 2021 03:53:23.105551958 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:53:23.164592981 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 21, 2021 03:53:28.386666059 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:53:28.436691999 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 21, 2021 03:53:33.629120111 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 21, 2021 03:53:33.689150095 CEST	53	57084	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 21, 2021 03:51:48.239238024 CEST	192.168.2.3	8.8.8.8	0xff05	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:51:53.640549898 CEST	192.168.2.3	8.8.8.8	0x8ed1	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:51:59.157094955 CEST	192.168.2.3	8.8.8.8	0xc543	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:20.173218966 CEST	192.168.2.3	8.8.8.8	0xe928	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:25.452625036 CEST	192.168.2.3	8.8.8.8	0xd90d	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:30.749924898 CEST	192.168.2.3	8.8.8.8	0xf384	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:51.693329096 CEST	192.168.2.3	8.8.8.8	0xf4a2	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:56.970959902 CEST	192.168.2.3	8.8.8.8	0x8c38	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:02.248502970 CEST	192.168.2.3	8.8.8.8	0x2a18	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:23.105551958 CEST	192.168.2.3	8.8.8.8	0x786d	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:28.386666059 CEST	192.168.2.3	8.8.8.8	0x9ec2	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:33.629120111 CEST	192.168.2.3	8.8.8.8	0xd762	Standard query (0)	1116.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 21, 2021 03:51:48.298796892 CEST	8.8.8.8	192.168.2.3	0xff05	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:51:53.699945927 CEST	8.8.8.8	192.168.2.3	0x8ed1	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:51:59.217750072 CEST	8.8.8.8	192.168.2.3	0xc543	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:20.233788967 CEST	8.8.8.8	192.168.2.3	0xe928	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:25.510504961 CEST	8.8.8.8	192.168.2.3	0xd90d	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:30.810293913 CEST	8.8.8.8	192.168.2.3	0xf384	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:51.755877018 CEST	8.8.8.8	192.168.2.3	0xf4a2	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:52:57.030994892 CEST	8.8.8.8	192.168.2.3	0x8c38	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:02.307182074 CEST	8.8.8.8	192.168.2.3	0x2a18	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:23.164592981 CEST	8.8.8.8	192.168.2.3	0x786d	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:28.436691999 CEST	8.8.8.8	192.168.2.3	0x9ec2	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)
Jul 21, 2021 03:53:33.689150095 CEST	8.8.8.8	192.168.2.3	0xd762	No error (0)	1116.hopto.org	185.140.53.9	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: HUMVC_039873637892OIHGDHJZ.exe PID: 2476 Parent PID: 5596

General

Start time:	03:51:24
Start date:	21/07/2021
Path:	C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HUMVC_039873637892OIHGDHJZ.exe'
Imagebase:	0x190000
File size:	820224 bytes
MD5 hash:	16D9AE1D9213807E9545F807CADE8882
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4744 Parent PID: 2476

General

Start time:	03:51:42
Start date:	21/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SyTPTBF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2F.tmp'
Imagebase:	0x140000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4424 Parent PID: 4744

General

Start time:	03:51:42
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 5028 Parent PID: 2476

General

Start time:	03:51:43
Start date:	21/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x40000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: MSBuild.exe PID: 1156 Parent PID: 2476

General

Start time:	03:51:43
Start date:	21/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x1b0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: MSBuild.exe PID: 5956 Parent PID: 2476

General

Start time:	03:51:43
Start date:	21/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x730000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.477448915.0000000003BF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.478901145.00000000060C0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.473461080.0000000002BB1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.478438953.00000000052B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.471043207.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 5924 Parent PID: 5956

General

Start time:	03:51:45
Start date:	21/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3DFC.tmp'
Imagebase:	0x140000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5912 Parent PID: 5924

General

Start time:	03:51:45
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4840 Parent PID: 5956

General

Start time:	03:51:46
Start date:	21/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp41B6.tmp'
Imagebase:	0x140000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 2588 Parent PID: 528

General

Start time:	03:51:46
Start date:	21/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Imagebase:	0x730000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 4308 Parent PID: 4840

General

Start time:	03:51:46
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4720 Parent PID: 2588

General

Start time:	03:51:46
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6136 Parent PID: 528

General

Start time:	03:51:48
Start date:	21/07/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x920000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6072 Parent PID: 6136

General

Start time:	03:51:49
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3468 Parent PID: 3388

General

Start time:	03:51:53
Start date:	21/07/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x120000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 3868 Parent PID: 3468

General

Start time:	03:51:53
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: MSBuild.exe PID: 5956 Parent PID: 2476 MSBuild.exeCOMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	142
Total number of Limit Nodes:	7

Executed Functions

Function 06590040, Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.479182183.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6590000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49ee2020156436ac6eb221c0cf5ef8ea1048b43add798429560896f9434270f
Instruction ID: 447102c8414e9c465c7ccf68ffc0f7df8c842b3e2413ea0df34e54ef16158b89
Opcode Fuzzy Hash: d49ee2020156436ac6eb221c0cf5ef8ea1048b43add798429560896f9434270f
Instruction Fuzzy Hash: F8425D71A00605CFCB54CF58C584AAEBBF2FF88314B15896DD45AAB691D734F882CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0110B6C0, Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0110B730
GetCurrentThread.KERNEL32 ref: 0110B76D
GetCurrentProcess.KERNEL32 ref: 0110B7AA
GetCurrentThreadId.KERNEL32 ref: 0110B803

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 29d56f1d63121d59e9347e00ae11879261da76427c12c9445d27f699674af482
Instruction ID: 26abe46eec9b68f65c511343977d203a2e412e023dbbcc9a42ee0994ced47dfd
Opcode Fuzzy Hash: 29d56f1d63121d59e9347e00ae11879261da76427c12c9445d27f699674af482
Instruction Fuzzy Hash: 155165B4E056488FEB14CFA9C688BDEBBF1BF48314F248569E009A7390C7749945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0110B6D0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0110B730
GetCurrentThread.KERNEL32 ref: 0110B76D
GetCurrentProcess.KERNEL32 ref: 0110B7AA
GetCurrentThreadId.KERNEL32 ref: 0110B803

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b06859719ce183f03d2c0588aa948e88443e657915bb60cbb7da2104c4e094f2
Instruction ID: 62a1f8d6bcf7049b62e655f3821ddd1009054ccd1ec1f273f89ef9444067989e
Opcode Fuzzy Hash: b06859719ce183f03d2c0588aa948e88443e657915bb60cbb7da2104c4e094f2
Instruction Fuzzy Hash: A35166B4E046088FEB14CFAAC688BDEBBF5BF48314F248569E019A7390C7749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0110FAA0, Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0110FD0A

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ebbd4aedf354a2f778e4a551cbb67b7605da5778785c4340fdcdb1375558a9ce
Instruction ID: ba983e500b73353fdb99ee4a573a602ae54eaef73f7ae64466267065b193c686
Opcode Fuzzy Hash: ebbd4aedf354a2f778e4a551cbb67b7605da5778785c4340fdcdb1375558a9ce
Instruction Fuzzy Hash: 16917971C093899FCF16CFA5C891ACDBFB1BF1A314F19819AE844AB262C3749845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06593558, Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.479182183.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6590000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9869f726306194294c4a788a2be5bde9e3206cb6309b05052743c845c8f86a0
Instruction ID: bb1dcde56ca8e45d2510f131f4906298e7f581cadf083835392176dedcf7f0cf
Opcode Fuzzy Hash: f9869f726306194294c4a788a2be5bde9e3206cb6309b05052743c845c8f86a0
Instruction Fuzzy Hash: AA8156B1D00219CFDF10DFA9C8846EEBBB5FF49314F20852AD415AB250DB74A94ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011093E8, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0110962E

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fa95482177238d9a287bd01c13fb58bfb11a967218c8aa25e1b6ce5ee5a836fe
Instruction ID: 88b57a52d0604dcd9b01b828e262df5b574d3847cf3bc23b9ada9c1e2a4bd766
Opcode Fuzzy Hash: fa95482177238d9a287bd01c13fb58bfb11a967218c8aa25e1b6ce5ee5a836fe
Instruction Fuzzy Hash: 0C717AB0A00B058FD729DF29C55079ABBF1FF48208F008A2DD58AD7A90D774E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06593604, Relevance: 1.6, APIs: 1, Instructions: 143
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06593738

Memory Dump Source

Source File: 00000005.00000002.479182183.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6590000_MSBuild.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 82f69aac99afeb43ab7ffa17b075bae354c61243f71743b0a6fb8437eb64ac79
Instruction ID: 5e071a72098980a07a67c17db3107abf440b6dc1d4b77fd257c3ec6a299a0110
Opcode Fuzzy Hash: 82f69aac99afeb43ab7ffa17b075bae354c61243f71743b0a6fb8437eb64ac79
Instruction Fuzzy Hash: 1351F0B1D00218CFDF10CFA9D9847DDBBB5BF49314F24852AE815AB250DBB4A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06591914, Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06593738

Memory Dump Source

Source File: 00000005.00000002.479182183.0000000006590000.00000040.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6590000_MSBuild.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ac2f859878e7283d1c9dafe460139492b19c45731f041fa3d3b052bf6277cfdb
Instruction ID: 37fcec1406a8adb321e5b8da5ed181dc779ec33079336178af85476846cc91ce
Opcode Fuzzy Hash: ac2f859878e7283d1c9dafe460139492b19c45731f041fa3d3b052bf6277cfdb
Instruction Fuzzy Hash: 7151E2B1D00218DFDF50CFA9D884BDEBBB5BF48314F248529E815AB250DBB4A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0110FBF8, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0110FD0A

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b74770ff96534ae77ee2ef76aca26b527afa49ff58a5319796432244edb16613
Instruction ID: 5f68ee1b1bbc4dd316dc955dd71fb7bedc438ac0dcae94d23212f51e8e1cb2c7
Opcode Fuzzy Hash: b74770ff96534ae77ee2ef76aca26b527afa49ff58a5319796432244edb16613
Instruction Fuzzy Hash: 9541D1B1D00309DFDF15CF99C884ADEBBB5BF48310F24852AE819AB250D774A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0110F904, Relevance: 1.6, APIs: 1, Instructions: 105
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClassW.USER32(00000000), ref: 0110F9F4

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: ClassRegister
String ID:
API String ID: 2764894006-0
Opcode ID: 7e218c3a2ef36c9ed1811925621e6dc20ff058730f8c95b6ad715d2097f67e6a
Instruction ID: 478f32035fe1f781314d41cb55447eccd1e427f6d426239722dfecdef88fed15
Opcode Fuzzy Hash: 7e218c3a2ef36c9ed1811925621e6dc20ff058730f8c95b6ad715d2097f67e6a
Instruction Fuzzy Hash: 46410570D1074ADBDB28CFA9C4857DDFBB1BF99304F24861AE415A7240E7B4A486CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0110F910, Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClassW.USER32(00000000), ref: 0110F9F4

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: ClassRegister
String ID:
API String ID: 2764894006-0
Opcode ID: 0b11c380c9e1455189f8aa400bb1e242b5b9ed6d0b67907c7df929c335315cea
Instruction ID: 25a6876cff55debd223d2339289e3059fb6a8ab56d3f0a83b499bf13b5ffc6ea
Opcode Fuzzy Hash: 0b11c380c9e1455189f8aa400bb1e242b5b9ed6d0b67907c7df929c335315cea
Instruction Fuzzy Hash: 42410470D1074ADBDB28CFA9C4857DDFBB1BF99304F24861AE414A7240EBB4A486CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0110BDC1, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110BD87

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b993be6af68d8f50432d71858ff3dc03230dbe982c8b618b6cd1a324d1d0297
Instruction ID: 0f6eb2fcca187364deab121427b8a0345d37350a7bec86bab3d5b9c4ba3bc2bd
Opcode Fuzzy Hash: 7b993be6af68d8f50432d71858ff3dc03230dbe982c8b618b6cd1a324d1d0297
Instruction Fuzzy Hash: F3419C34A80240CFE7069F75E549BAA7BF1E789704F144A2AE9458F789DBB64804CF30

Uniqueness

Uniqueness Score: -1.00%

Function 0110BCF9, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110BD87

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de6c2410d502a0c9db682851560de3209c360f6c39c9ce1fef89ad34935b4551
Instruction ID: 332b296a102c9b0159f916a68d5dcc91cfc005241d958882238755bcc8acc3b7
Opcode Fuzzy Hash: de6c2410d502a0c9db682851560de3209c360f6c39c9ce1fef89ad34935b4551
Instruction Fuzzy Hash: 3E21F2B5D002489FDB10CFAAD584AEEFFF5EB48324F14842AE954A3310C378A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0110BD00, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110BD87

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: acb605208b70f91c013c2033c1640d59a7304d103790307ff848bb87f538de36
Instruction ID: 4fb70f58e3794441f68e14ca0297f5db565ae12cf3335a6908c6f7d464913645
Opcode Fuzzy Hash: acb605208b70f91c013c2033c1640d59a7304d103790307ff848bb87f538de36
Instruction Fuzzy Hash: 5221C4B5D00208DFDB10CF9AD584ADEFBF9EB48324F14842AE954A3350D378A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01109849, Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011096A9,00000800,00000000,00000000), ref: 011098BA

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb8b8ca69f9ba044ee0bc21e0568d4b9830c1753e51dde5b006bfd68aa0fc649
Instruction ID: b34d4b62bdc414a8acfbcab9d420cabc26b2dbd762293dad75fe488853669a12
Opcode Fuzzy Hash: eb8b8ca69f9ba044ee0bc21e0568d4b9830c1753e51dde5b006bfd68aa0fc649
Instruction Fuzzy Hash: 451103B6D00209DFDB14CF9AC444BDEFBF8AB49324F14842AD519A7300C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01108768, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011096A9,00000800,00000000,00000000), ref: 011098BA

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4d4c2a267c60713ccf515430522b63760bc3ec483ae90e7aa8182745a9fa78e
Instruction ID: f4c45b937e7bcfc31399c5ded3ae4e1503708a1949c1e5bfa553480420bdf047
Opcode Fuzzy Hash: a4d4c2a267c60713ccf515430522b63760bc3ec483ae90e7aa8182745a9fa78e
Instruction Fuzzy Hash: A711C2B6D00209DBDB14CF9AC444BDEBBF8EB48324F14852AE519A7740C3B5AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0110962E

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1ac59ea29ebfb55b1f3c0155af5bc07a0419db5e789240e8e1c71ad3cd1bc432
Instruction ID: 1292bdf02f7d563c8fc424c6499ba29093dc9ba6e014ae95191aa156c70b95a5
Opcode Fuzzy Hash: 1ac59ea29ebfb55b1f3c0155af5bc07a0419db5e789240e8e1c71ad3cd1bc432
Instruction Fuzzy Hash: 7C11E3B5D006498FDB14CF9AC844BDEFBF4AB48224F14852AD519A7640C778A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0110FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0110FE9D

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f84f78d552fd7d7ed35e70b3ae083c008d53219cf4277a46b8ec1078f62f9545
Instruction ID: 4215e22703f2a56b43da49b498199228588a51c82a956403585e07bbf125eee7
Opcode Fuzzy Hash: f84f78d552fd7d7ed35e70b3ae083c008d53219cf4277a46b8ec1078f62f9545
Instruction Fuzzy Hash: D01125B5900209CFDB20CF99C589BDFFBF8EB48724F10841AE854A3640C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0110FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0110FE9D

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ad99613d7f2fcd7865155ffc6282efcdcd4f02fd4ff604513747a4d60e4d503d
Instruction ID: 5fb7619b3da5383d79262ce06949f27c60864dd057277c12e2858ac13a3e25d8
Opcode Fuzzy Hash: ad99613d7f2fcd7865155ffc6282efcdcd4f02fd4ff604513747a4d60e4d503d
Instruction Fuzzy Hash: CF1103B59002098FDB20CF99D589BDEBBF8EB48724F10841AD915A3340C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472607907.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_104d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b73a155013eee04332338dd2259bcb53f47c75ff619d7c183b4c3757449efe1
Instruction ID: 37ad8fb1ba3c734793dcf640902bf8cd05f58903d92f7eb7eb3f5e31dc81aa29
Opcode Fuzzy Hash: 3b73a155013eee04332338dd2259bcb53f47c75ff619d7c183b4c3757449efe1
Instruction Fuzzy Hash: 062128B1504240DFDF01CF94D9C0B5ABFA5FB94328F2485B9D9450B246C736E456CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0105D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472650215.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_105d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85683a7167423800036dfe18df1153dcb37aaa6865a1ce5926601fc7f5aa0dab
Instruction ID: e818344d9982ad05be1037062d2ea1b064d12109402f0e57a3fdc71f26cb529a
Opcode Fuzzy Hash: 85683a7167423800036dfe18df1153dcb37aaa6865a1ce5926601fc7f5aa0dab
Instruction Fuzzy Hash: CF210371504200DFDB51CF94D5C4B1BBBA5FB84254F20C9AAEC894B346C336D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0105D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472650215.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_105d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232b1d0410e12d53ccc9fd0195b371d58ed84f6881473cb5020918dbde6e1ea2
Instruction ID: 5a407e392efbdce2c480d7f4ec5759a1b1e4c4d28a8deef7f1aebe617555b0c4
Opcode Fuzzy Hash: 232b1d0410e12d53ccc9fd0195b371d58ed84f6881473cb5020918dbde6e1ea2
Instruction Fuzzy Hash: 2421C2755083808FCB42CF24C994706BFB1EB46214F28C5DBD8888B297C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0104D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472607907.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_104d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction ID: 7a0236819e618cb4fa28da63161456289883d6025f460039d2cd8f709608147f
Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction Fuzzy Hash: 6511E1B2404280DFCF02CF44D5C4B16BFB1FB94324F2482A9D8450B256C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0110E480, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ee88976b660db2578a90fe392f9245f539549b284c36e3479665b697a19c5a
Instruction ID: 8a4bbec6b54280c496ec62b9c17e51a063e3c3df3c571a33e184bd152221cd84
Opcode Fuzzy Hash: 50ee88976b660db2578a90fe392f9245f539549b284c36e3479665b697a19c5a
Instruction Fuzzy Hash: 0B12E4F94017468AD730CF66ED881893BE1B745B2CF984A08D2E11FAD9D7BE114ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0110BBD4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40fc1d081e6d2660932c366828558bd222a647dd8bd7dc8aa4888a474fa223d
Instruction ID: 8e0d5c4b714798cb97c9a8ee9c97c4f71ee0cf0adab77ce90e0c7e536c698873
Opcode Fuzzy Hash: a40fc1d081e6d2660932c366828558bd222a647dd8bd7dc8aa4888a474fa223d
Instruction Fuzzy Hash: 85A1B036E0021A8FCF1ADFE9D9445DDBBF6FF84304B15816AE905AB260EB71E905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0110E471, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.472837590.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1100000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b50aac6a51d821706d0bf3eccd4561b8d2c6013d66ae3cb583658323e4764a8
Instruction ID: 253610bd4f28c66995493ab111488d4d1380414811571d12be8639518a16ca15
Opcode Fuzzy Hash: 2b50aac6a51d821706d0bf3eccd4561b8d2c6013d66ae3cb583658323e4764a8
Instruction Fuzzy Hash: 5EC15EB98117458AD730CF66EC881897BF1BB85B2CF584B08D2A16F6D8D7BE104ACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 2588 Parent PID: 528 MSBuild.exeCOMMON

Executed Functions

Function 00EF2148, Relevance: 1.6, Instructions: 1621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1376f13d6115015b6306fda44516a40dd9d6f302f4b1e470e3439e0e75d4f21c
Instruction ID: f5012f4fd64ae526fd491f6702f885198bee6b3a06913dfaafdb31684a67d38b
Opcode Fuzzy Hash: 1376f13d6115015b6306fda44516a40dd9d6f302f4b1e470e3439e0e75d4f21c
Instruction Fuzzy Hash: F4E29131A00219DBD721EF61CD44BE9B376EF99304F5189A5E5083B295DFB0AA86CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2133, Relevance: 1.6, Instructions: 1598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980f53ee9d33b2993376724ea51a673011cf3ff5a95c156b574d6c4ae94b5248
Instruction ID: f5d579b55344899b1309c89505599d26eb999768d14609a5de34177a22f990b4
Opcode Fuzzy Hash: 980f53ee9d33b2993376724ea51a673011cf3ff5a95c156b574d6c4ae94b5248
Instruction Fuzzy Hash: EDE29131A00219DBD721EF61CD44BE9B376EF99304F5189A5E5083B295DFB06AC6CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4A20, Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774615d77914027280353c654ff6c46d6bdd0a1f60f17f82a029c970f099db3f
Instruction ID: fc1b6baf1c483cf7deb42b3b545f672938d8cb3ff05d32c409fd3c6601dcd40e
Opcode Fuzzy Hash: 774615d77914027280353c654ff6c46d6bdd0a1f60f17f82a029c970f099db3f
Instruction Fuzzy Hash: B5429F35600608CFCB14DF68C984AAEB7F2FF85305F459469E60AAB6A1DB34ED45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5CF9, Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fb45b00ea35f31efe2be1e6ff4e533ef31498dd49136e767c9066bcefc2383
Instruction ID: ba96a314a4ea53d2b762cb1015d455018fe6657848ed4aedf1c4d974de395a36
Opcode Fuzzy Hash: 90fb45b00ea35f31efe2be1e6ff4e533ef31498dd49136e767c9066bcefc2383
Instruction Fuzzy Hash: AAD1B135B006088FD724DF64C8557BAB7F2EB85308F249429D60AAB796DF35EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EF532C, Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5085c3199f6e9d90b3067dc39f98b7c6b068e372108c9334d6b13e209cf1139b
Instruction ID: 2fd252df256cb26ea9c45c490a4f07d610ba99ef6af86b3a1f9f53f3086aff79
Opcode Fuzzy Hash: 5085c3199f6e9d90b3067dc39f98b7c6b068e372108c9334d6b13e209cf1139b
Instruction Fuzzy Hash: 5021DE30A082488FEB04EBB4C8517FD7BB6AF89304F655439C201FB6A1DB348D06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0C62, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c466ff31e552556d83dee72838eceab3c5013a9b0f7f4924ce713dfb1ed1f60
Instruction ID: 14776c3d996c4692944d7d6a44150f9451308399943fa82273b08ce9aeb908f1
Opcode Fuzzy Hash: 1c466ff31e552556d83dee72838eceab3c5013a9b0f7f4924ce713dfb1ed1f60
Instruction Fuzzy Hash: 65913C75A0020CAFDB05DFE5D844AEEBBFAEF89304F14852AE505B7255DB349906CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4358, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174ed90aec1a30294f910e3f3e114af6c96e9bf9126d60dd6672da53183b6f0e
Instruction ID: 29715fb09c70ce9d29146d3c01576697b8646548489a6d41d77bd3065c4f89ef
Opcode Fuzzy Hash: 174ed90aec1a30294f910e3f3e114af6c96e9bf9126d60dd6672da53183b6f0e
Instruction Fuzzy Hash: 6C818070A01209DFDB14DF65D884BAEB7F6EF84314F118969E105AB3A5DB70EC4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1EB0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81493cdf9c1cc3057db85acc06a86338f4f2e32f2500e93bc5b75274a73d2422
Instruction ID: 3d1194c6c1a09f2b901fb7571f2b77d404778e00f0ef49b4997fa34f0f1e22ec
Opcode Fuzzy Hash: 81493cdf9c1cc3057db85acc06a86338f4f2e32f2500e93bc5b75274a73d2422
Instruction Fuzzy Hash: 4F716C35B00209DFDB14DB61D950BBEB7B6AF88304F204569E602BB294DF70ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF13C8, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59c8f5db75d299918cebac3519d0d7688cea2e545941436170558d07f78774d
Instruction ID: 72188fcf50f9fe96543291d2fc5794623aa0384cce559eadc24429ed35005df7
Opcode Fuzzy Hash: d59c8f5db75d299918cebac3519d0d7688cea2e545941436170558d07f78774d
Instruction Fuzzy Hash: BF519171E0424D9FCB04EBB598156FEBBB6EFC5310F0084BAD519E7251EB344A16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3CF8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8997f808cd3b488311e8dd357e908fd2b7a6bf7c768b4fa291092302b2a24b30
Instruction ID: 43371f0ead6beaf02977d6220b539e8f5e53e6e8a55a9a8b3a177372d6a14a8a
Opcode Fuzzy Hash: 8997f808cd3b488311e8dd357e908fd2b7a6bf7c768b4fa291092302b2a24b30
Instruction Fuzzy Hash: 3B515935A00219DFCB01DFA9C8406EEFBF1EF49311F1581A6E954B7291E735AE46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF18C0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1419638b1bb784e169fed8fa87f080ea5e09192f748b416f2ca1fb078dc527be
Instruction ID: 55db62f7fe69fa2ec006429c42af91ec400cca9025ad28938fef585aa1253ea7
Opcode Fuzzy Hash: 1419638b1bb784e169fed8fa87f080ea5e09192f748b416f2ca1fb078dc527be
Instruction Fuzzy Hash: DE41C239A00208DFCB04EF75D8549AE77B6EF89350B1485BAE505EB2A5DF309D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0448, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456f8fd154e0c782c96d307b7443292af3079e1ca9e986c0e86511a3033e3cd7
Instruction ID: 50d161570a62b17a571761f9571ad689098ffc2e1a40a4c624a936a40ba19e91
Opcode Fuzzy Hash: 456f8fd154e0c782c96d307b7443292af3079e1ca9e986c0e86511a3033e3cd7
Instruction Fuzzy Hash: A4415C30A002099FCB44EBB8D555BED7BF2AF84308F10846AE505AF7A5DB74994ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3E99, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4afb529c8f91e6e26a23c4a2e17327790037622681cbe67b6100643d63c0ac1
Instruction ID: 896fdd9e93c13aa359352543b9af153bc8b91d43ca3b0caedb7485b4d5d4d7c9
Opcode Fuzzy Hash: c4afb529c8f91e6e26a23c4a2e17327790037622681cbe67b6100643d63c0ac1
Instruction Fuzzy Hash: A5314833B043498FCB15CA7880A12FEFBB79F99314F188569C542BB341DA619E49C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF18B0, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ea8a6659b08cb00c811593ae5326da4afd81a4ff676a2df921f8f785f5c93
Instruction ID: a101ca7953a8d6dd29fcf19b699821b145c55d84a1414a0e9c2ff400c6226b6b
Opcode Fuzzy Hash: 090ea8a6659b08cb00c811593ae5326da4afd81a4ff676a2df921f8f785f5c93
Instruction Fuzzy Hash: 9341D038A00208DFDB04DF35D844ABA77F6EF89310B1481AAE411EB3A5DB309D0ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF45CE, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba3c0c73907b26942c7f6b33267684e3a444a6a7561dc84e29326c062913fc8
Instruction ID: b699dcefd31cfce42600ee85dc5e5e10047d105b07c3f8c3e775e7e0d93220d2
Opcode Fuzzy Hash: 7ba3c0c73907b26942c7f6b33267684e3a444a6a7561dc84e29326c062913fc8
Instruction Fuzzy Hash: AE315E71B00108CFCB08DB78D495AAE77F6AF89318F258169E115EB3A5DB70DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6190, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93bfa086408664c376c0e70a5519c20cb6df611b0cff748a4146d56f35fa17
Instruction ID: 8f142df889097d6c8acbb4291a1caa71111ba6640b88539c34e4af52645468dd
Opcode Fuzzy Hash: 2a93bfa086408664c376c0e70a5519c20cb6df611b0cff748a4146d56f35fa17
Instruction Fuzzy Hash: 9821C131E002099FCB14EBB99C45AFFBBB6EBC5214F40447AD108A7251EB70591687A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4A10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e176a83abd4a7c3b173192d3bd4e653aaebbc103238c39301073d0344a21d8
Instruction ID: 63af951d9d315a2c0b8c50a329b81549a3a9ba14e2e07631e7e3e773939567c0
Opcode Fuzzy Hash: e5e176a83abd4a7c3b173192d3bd4e653aaebbc103238c39301073d0344a21d8
Instruction Fuzzy Hash: 0031F076A002088FD7109F25C844BBA7BE6BB45301F49A4A6E509EB2E2D734CC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1768, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1c03d2ee0d41409f6e4466a86051befbb41fc64d1ec0c302b7cbe45225a062
Instruction ID: bc74e9b39444e5e8337f1f01365570761687eae291bf21769c4a5dac93b908b9
Opcode Fuzzy Hash: 2d1c03d2ee0d41409f6e4466a86051befbb41fc64d1ec0c302b7cbe45225a062
Instruction Fuzzy Hash: 4E219C70A10218CFC748EB78C5549AE77B1AF4974872005A9E10AEF3B1DB31EC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1778, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c81e7f2d8e6fde50705b7ed907b4a1bc2490df5052453bd43141e89ca0e511
Instruction ID: 6ded7c0f15bf41baff876f38ea4f4d396de1ab5b0caa865cbe1d525a48e8fb06
Opcode Fuzzy Hash: 45c81e7f2d8e6fde50705b7ed907b4a1bc2490df5052453bd43141e89ca0e511
Instruction Fuzzy Hash: 1A216A70B101148FCB48EF78D5549AE73F1AF48708B2044A9E50AEB3B0DB31ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6180, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8f0f98e139bb068709d69e73e0ce86723e71dae140e4dca653522a3bc44edc
Instruction ID: 74dece17e1b24b579f36d81f1e82c3fce70cc0a26096b7497b4025635f88145c
Opcode Fuzzy Hash: cf8f0f98e139bb068709d69e73e0ce86723e71dae140e4dca653522a3bc44edc
Instruction Fuzzy Hash: BF016630A043085FC705E7B88C06AEF7BBAEBC5314F4104BAD008B7252EB30590B8791

Uniqueness

Uniqueness Score: -1.00%

Function 00EF06A8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0392a74ceb376ae17ea4c964c77bc2795fd20cf89a095914a91f97e2d6690c5
Instruction ID: f215cc486470f6a51753223426c82d9cd09d9467ef73949656afca7335567f34
Opcode Fuzzy Hash: f0392a74ceb376ae17ea4c964c77bc2795fd20cf89a095914a91f97e2d6690c5
Instruction Fuzzy Hash: A6F0903174120C5BDB086B75E8147BB3295AB85749B01042AEA02E3BD6EFA4DC4A87E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0B10, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132e93691c248522d60171e0d1678bc4c9324243875e8dfd4a6e1df30d0d595f
Instruction ID: 9957b45b89a5c8e27153e393ddea8f9582b2b87c91ee41fbadc8b9411bfad338
Opcode Fuzzy Hash: 132e93691c248522d60171e0d1678bc4c9324243875e8dfd4a6e1df30d0d595f
Instruction Fuzzy Hash: 44F08230909288DFC701DBB4AD625DD7FB4DF02204B1048F6C444BB2A3E9205A0A8741

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5830, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3923223f84a2963bdf18d08c32eade9402ae3857286b0d11c6b5cbd312fee5ed
Instruction ID: 1a52dcc165c732829568934a377985e313add1b5fe5a0d08e610582910cc186f
Opcode Fuzzy Hash: 3923223f84a2963bdf18d08c32eade9402ae3857286b0d11c6b5cbd312fee5ed
Instruction Fuzzy Hash: B3E09B357001009FC314EF66E858D9AF7AAEBC9260755813BE509D3315DE709C0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF59D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1310fa95e7c062823d879f9f1598755a7369694db9e55440c2713f405b67a
Instruction ID: d23684d55cd80eb729c96cf7d0ac9beff72eddccba8e6c99e495c8ea8f0888fb
Opcode Fuzzy Hash: 00c1310fa95e7c062823d879f9f1598755a7369694db9e55440c2713f405b67a
Instruction Fuzzy Hash: 14E0DF33A0162497C73522AC5800BBAA2998BC4718F09853A6619E33A4DE629C0283E9

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0FB0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e8a722609e4b95604f8ecb6f10257c82fd8f993d6f61f41104d2f1dacc9050
Instruction ID: 358b0ed13866378a959f0f125d943120d45bf964bac740ec1af30c2d60bdc31d
Opcode Fuzzy Hash: 67e8a722609e4b95604f8ecb6f10257c82fd8f993d6f61f41104d2f1dacc9050
Instruction Fuzzy Hash: 15F0B7B8641245CFDB08EFB4D258AA9B7B1EF49308F2144AAD506AB7A5CF359C06CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00EF59E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a99d72b5b0b01aaebf5b790c03907fd3565c7ef0ed05229455e561a95c0fcf
Instruction ID: 1f6c392ceb8e20ecc990873b1ab67aa1d2d7a68b73d15692353563d1a18c080f
Opcode Fuzzy Hash: 87a99d72b5b0b01aaebf5b790c03907fd3565c7ef0ed05229455e561a95c0fcf
Instruction Fuzzy Hash: 84D0C233B11A24578325226D5800BAA62CD8BC5A18B05053AA209D3714DB61AC0183E5

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0B70, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a1d1c5aa5b1c966107aa1496f8cef3ff0027a75493181923a4298d3539651a
Instruction ID: 76e90e29fddf5115e75bb47e4b82843ccdd4d2aeb427a78206090305c9c0b337
Opcode Fuzzy Hash: a7a1d1c5aa5b1c966107aa1496f8cef3ff0027a75493181923a4298d3539651a
Instruction Fuzzy Hash: 2AE05E7151D3586FE3426778AC117B27BE88B06358F1148B7EA59E73A3F545EC0083D9

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0B38, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.252814763.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ef0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea41e46b031e72ee43d82a033eb9c1cdcbf562c3212d3a6a086e097865b338d
Instruction ID: 59dcbf7a197bcd1eab7e9b9ff2b2d320409c04e643325fb39001d7fc4d016d92
Opcode Fuzzy Hash: 3ea41e46b031e72ee43d82a033eb9c1cdcbf562c3212d3a6a086e097865b338d
Instruction Fuzzy Hash: 9FD05E34A0110DEF8F40EFB5E94199EB7F9EB45204B2088A9D808F7251EE316F019B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6136 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 01222148, Relevance: 1.6, Instructions: 1621COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1282d3c3b427dddb9afb863708a0eca33abc1c03bdbf28c73cdeafe35163d507
Instruction ID: 6ef82889ba5cacee69a79222b93b68b5cbd0cd6eeba812472736a9397ace08c1
Opcode Fuzzy Hash: 1282d3c3b427dddb9afb863708a0eca33abc1c03bdbf28c73cdeafe35163d507
Instruction Fuzzy Hash: 9CE29231A10229DBD725EF65CD447D9B376FF99704F518AA4E6082B288DFB06AC1CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01222138, Relevance: 1.6, Instructions: 1594COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e601ab5994a176e6fdac9fa76ce50ac77e4201e8b62cb3ebebbbdceeee2afe
Instruction ID: 59877ceb1282ba6b91c2d314611830b042cb0eab08a0dcf7d4ecb534ca4f35d5
Opcode Fuzzy Hash: 51e601ab5994a176e6fdac9fa76ce50ac77e4201e8b62cb3ebebbbdceeee2afe
Instruction Fuzzy Hash: 51E29231A10229DBD725EF65CD447D9B376FF99704F518AA4E6082B288DFB06AC1CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01224580, Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2de7760ef137343a125d145f26d84e1abd23a9f08c83f9c13eae5389235d10c
Instruction ID: 7fc241fe42ca59c75ab700671ac992d291de44b719d3c7816c3d684d8306fac2
Opcode Fuzzy Hash: a2de7760ef137343a125d145f26d84e1abd23a9f08c83f9c13eae5389235d10c
Instruction Fuzzy Hash: B8429E30610255DFCB19EF68C988AADBBF6FF88300F458469E5168B265DB34ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01225858, Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35d6600342f302bf80b503211f74a37a5e8a6fdbef87804b60c86e5526845af
Instruction ID: a203203fca31c54f6319080155caf1dddf489f4518adf113e162130d1c359169
Opcode Fuzzy Hash: e35d6600342f302bf80b503211f74a37a5e8a6fdbef87804b60c86e5526845af
Instruction Fuzzy Hash: C2D1E130B003219FDB28DF28D8947AEB7B2AF84304F14C469D6169B799DB75EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01224E8C, Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d1ed86d979f0d844c4be4af58bee402667af8931207a7755de31ed64be729
Instruction ID: b1c9c5e4a54a77dc465c0fad8c522f6c434a2b47029033a46a4e8fa892e0d363
Opcode Fuzzy Hash: 421d1ed86d979f0d844c4be4af58bee402667af8931207a7755de31ed64be729
Instruction Fuzzy Hash: ED21D430A142659BDB15EFB4C8107ED7BB2AFCA204F648569C101EB3D4EB749805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01220C63, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba36edb7f65511399b84acdeb8326cf0b1b8780a32675acb7acfbd547ec9668
Instruction ID: 97ac8ce66cef1c871c9b17138bea4b4c27b38ebffe431cfbf616d3a67f97c29d
Opcode Fuzzy Hash: 4ba36edb7f65511399b84acdeb8326cf0b1b8780a32675acb7acfbd547ec9668
Instruction Fuzzy Hash: 61916F71E00218EFDB19DFE5D8449EEBBBAFF88304F14812AE611A7254DB34A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01221EB0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca85cf9371b8564219c98cc0e9ff39b10752c30bbfa7078e2a4728278e93664a
Instruction ID: c0df7c9d3b17dde5105a67285a5973319c1d53e3f851dab4634ebc95c79a6d38
Opcode Fuzzy Hash: ca85cf9371b8564219c98cc0e9ff39b10752c30bbfa7078e2a4728278e93664a
Instruction Fuzzy Hash: F9719E30B10226EFDB14DFA5C840EAEB7B6AF98700F204529E612DB395DB75ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012213C8, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1e387d4826ebb7e7d2d1a60e64ba6748360ff7bec83d5fdaa745aa050ef1ab
Instruction ID: 8f0af429e9468d6010a855444996655a8161d77d2e0b03a60cb4c3118fefdac4
Opcode Fuzzy Hash: 3f1e387d4826ebb7e7d2d1a60e64ba6748360ff7bec83d5fdaa745aa050ef1ab
Instruction Fuzzy Hash: E951C131E00269AFCB09DFB898146FEBBB6EFC5210F04C47AD559E7251EB344A25CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01223CF8, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4b6335f565554713d38f7c8242a3b9906a5e6bb98f8660554fd4301ea383c1
Instruction ID: 5eb1ea7bd1472805fdf150b45f9eeeae8559e4108f36f0db80b6c39e0784ab44
Opcode Fuzzy Hash: df4b6335f565554713d38f7c8242a3b9906a5e6bb98f8660554fd4301ea383c1
Instruction Fuzzy Hash: 44518D31E14229EFCB11CFA9D8406EDFBF1BF49310F0542A6E954A7256D738A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012218C0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81826477a3c5c52035705e3c3443194ffab8f22c486f2e1dd762e5e9d115a80b
Instruction ID: 8a8bdb705de5b2947066638c99b65eb6cf0ca2cce6bf1e3f5ec3ac83094a73ac
Opcode Fuzzy Hash: 81826477a3c5c52035705e3c3443194ffab8f22c486f2e1dd762e5e9d115a80b
Instruction Fuzzy Hash: 4D41CF34B10215DFCB08EF79D8449ADB7B6FF8A300B10856AD0558B269EB30AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012218B0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1548420c45979653e62427f73da91c00b3e2f5755330b933632750de4c4eca
Instruction ID: 36ddd859687a9ceb11ac181b4b99c373a14bb4496a155794658ac4781fa4cbef
Opcode Fuzzy Hash: df1548420c45979653e62427f73da91c00b3e2f5755330b933632750de4c4eca
Instruction Fuzzy Hash: 5E41EE34A10216DFCB09DF79D8409AD7BB6FF8A300B1485BAD1118B269EB30AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01220448, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7beb23c53bcea577b0ec99683208e061eebdc826fcbf5eb7326cb4c4942da9ef
Instruction ID: 7aae383bdd41731dd22868306972b344eafb948dc016f5e555f282d265924933
Opcode Fuzzy Hash: 7beb23c53bcea577b0ec99683208e061eebdc826fcbf5eb7326cb4c4942da9ef
Instruction Fuzzy Hash: DE417C30A10219DFCB04EFB8E4447DDBBB2BF85308F108869E1159F764DB759946CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01223E99, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691e99050aefa3e85bf99e79050d4e46e8f41a1eaf946b1c89d29a7ae06fdf0f
Instruction ID: 9ca9f47f36f249b841addbdf2b60f940bd61723077314001fc9fd42cb9e6e4d7
Opcode Fuzzy Hash: 691e99050aefa3e85bf99e79050d4e46e8f41a1eaf946b1c89d29a7ae06fdf0f
Instruction Fuzzy Hash: 6F318D327243958FCB15CAB890615FDFBF27FDD210F0881ADC5829B341DA699C89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01221768, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39c52b3f453a9ef5fcc05de2e5972eb094d30bb0a0aaf968db7b3d2ffdf0e8b
Instruction ID: 285b3bcc94c06f09f6f397accd288434aa3ec4dc1ece1da1d2bd7a2a8b3ffaf4
Opcode Fuzzy Hash: a39c52b3f453a9ef5fcc05de2e5972eb094d30bb0a0aaf968db7b3d2ffdf0e8b
Instruction Fuzzy Hash: 52318D30B101219FCB58EF78D454AAD77B2AF88318B2148A9E506DF761DB31EC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01224570, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27715c80b8fc0f2baecb05b4bb8cccfc34235f98902f67a881c2bb2f3c3b2ea0
Instruction ID: cf378af3866ad3d1adcf3c60200253db602334de607853c088eaa7d0e19519de
Opcode Fuzzy Hash: 27715c80b8fc0f2baecb05b4bb8cccfc34235f98902f67a881c2bb2f3c3b2ea0
Instruction Fuzzy Hash: E531F0306202A5DFD724EF2CE854BAE7BF6EF45301F4684AAE555C7295C738D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01225CF0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f472c1d46bc1cf0277ebe246ce02ffc1744551c3db7aed956722be3dbb9b8a
Instruction ID: f543beeb8bb642aed6e607ddd148124ad003dc4cb2f93865e7201c973aecc5cb
Opcode Fuzzy Hash: 50f472c1d46bc1cf0277ebe246ce02ffc1744551c3db7aed956722be3dbb9b8a
Instruction Fuzzy Hash: 3321F431E002199FCB08EBB9D8146FFBBB6FFC4214F40857AD118A7344DB7459158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122043C, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d955e4b71189b1fb156cb0b6a83a2dee2855cb62a1c0e1c6dd7f4145917e93cd
Instruction ID: fc8e2750fd9dd0f436664de8f95bccddfc3e2ea6b72f6ff0d9d0f73b7f3dec1f
Opcode Fuzzy Hash: d955e4b71189b1fb156cb0b6a83a2dee2855cb62a1c0e1c6dd7f4145917e93cd
Instruction Fuzzy Hash: 08319130910219DFCB04EFE8E144ADDBBF2FF85308F508829E0145F668DB759886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257718434.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_112d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf80b09eec942a6912ce64cee4d24f4cdabe66c94fd88505ff5da4d4149095d
Instruction ID: 25a43b0ed7504daf35057941904847b40a76418a590aad5b8bbc1111bf978543
Opcode Fuzzy Hash: cbf80b09eec942a6912ce64cee4d24f4cdabe66c94fd88505ff5da4d4149095d
Instruction Fuzzy Hash: F4210AB1504280DFDF09DF94E9C4F96BF65FB84324F24C569E8054B646C336E466C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0112D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257718434.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_112d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a784620eafa40a7db457ad88003ee9fdd74fe3dc08603083b0dd9e167220c7
Instruction ID: 3cbdd5f6eb2c9f38db452bf0a3d1495a6bb1f5c72bd44abc0a9fa66342eb8fee
Opcode Fuzzy Hash: f9a784620eafa40a7db457ad88003ee9fdd74fe3dc08603083b0dd9e167220c7
Instruction Fuzzy Hash: FB212871504240DFDF09CF94E9C4B56BFB5FB84328F24C569E9050B256C376E466C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01221778, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdb1cbdc8c96b581699dc87d1deb136c52b092f06d898d29b653e4a763488da
Instruction ID: df3a79ba75cf38f3dd35c66613ba31590b4f781a5229bac367e57bcbbc9edc0b
Opcode Fuzzy Hash: 2fdb1cbdc8c96b581699dc87d1deb136c52b092f06d898d29b653e4a763488da
Instruction Fuzzy Hash: 09213774B102218FCB48EF78C5549AE77B1AF48708B2149A9E50ADB3A0EB35ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01225CE0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325ee1b3096c924e27764a5ae169babaf82a03572d6fa738c2767b29ec0ca016
Instruction ID: cb339b5e5ce8534eb279a6a6d59d316ae21b210f00bb2f061285b93a52c69607
Opcode Fuzzy Hash: 325ee1b3096c924e27764a5ae169babaf82a03572d6fa738c2767b29ec0ca016
Instruction Fuzzy Hash: 2F112530904309AFCB09DB79D828B9E7BB9EFC6214F4145AAD118D7245DB745805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257718434.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_112d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction ID: dfc8c0613415bfbc8744fd329c98d147ea2c68bcd21b1a9c44ffb00b49ddf4d7
Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction Fuzzy Hash: 0B11E172504280CFDF06CF44E5C4B16BF71FB84324F24C2A9D8054B256C336D46ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257718434.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_112d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction ID: 95d49273594ae7eb6a97834d6e226495042c2626b49188a00d9c113bf8073f17
Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction Fuzzy Hash: A2110372404280CFCF06CF54E9C4B56BF71FB84324F24C6A9D8040BA56C336E46ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01220698, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea7741bcf86a8401a61c16395cad98e30e19c73262150c9ff5aaba1436df7f9
Instruction ID: 211c9fa959515fd1945358f3340dd454c07181a2081b457a0aa02e4e39e887cc
Opcode Fuzzy Hash: bea7741bcf86a8401a61c16395cad98e30e19c73262150c9ff5aaba1436df7f9
Instruction Fuzzy Hash: 03F028307143255FDB186B75E8086AE3752AB80604F040438F702C77C9DF64E880C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 012206A8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ecba9ece93d660b2e5c1d2960316daa8072d540f80903622e222cc9ea93e53
Instruction ID: 3fc1039fd5030c3409fa6e1e802940fc7da62fc2b71d5112c08f732d00ad0f77
Opcode Fuzzy Hash: 91ecba9ece93d660b2e5c1d2960316daa8072d540f80903622e222cc9ea93e53
Instruction Fuzzy Hash: 73F096307142255BDB286B75B4196AE3696AB80605F140538FB42C77C9DFA4D88087E4

Uniqueness

Uniqueness Score: -1.00%

Function 01224D7C, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301200d0b2074fe7a52e04dbda730b7cf6303f9cfc35cceb2f7c2283f92740ab
Instruction ID: 049a646932158a33c13744e56e10ebd680129fa6634ba9228e3cebe8bc0d1cd9
Opcode Fuzzy Hash: 301200d0b2074fe7a52e04dbda730b7cf6303f9cfc35cceb2f7c2283f92740ab
Instruction Fuzzy Hash: F1F05972E04254EFCF08DFA59C445ED7BB5EFC5304B0082AAD112EB269E7701605CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01220FB0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc892b994454531495d5f6eba38f97a8f29281a3947fc531bc1fb2d9db6b65f1
Instruction ID: 6e7638e74a3f4a942b26939ed30abf92df20c27f036dc3e847c94fc36ca991df
Opcode Fuzzy Hash: cc892b994454531495d5f6eba38f97a8f29281a3947fc531bc1fb2d9db6b65f1
Instruction Fuzzy Hash: C0F0F4B4600211CFCB08EFB1D158AA9B7B2FF48308F2045A9E4069B7A9CB759C05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01225390, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705c3915209973f0c885f5bfbe60e024352906602c21f0ab1e0ae977a46be0d8
Instruction ID: d6bcde766f20c08e70e8e0fa0e63d6adc954bbb93eb88b9f2ecb5efbdfbfd75a
Opcode Fuzzy Hash: 705c3915209973f0c885f5bfbe60e024352906602c21f0ab1e0ae977a46be0d8
Instruction Fuzzy Hash: F9E065357001249BC7149B6AF45899AF7A9EFC8251710813AE959C3309DE709C4587B0

Uniqueness

Uniqueness Score: -1.00%

Function 01220B38, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.257803735.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1220000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2730a5cdc81e22d166de50b9b60e945d6a0753159efcbf0a7c1c73823c481d2a
Instruction ID: e2b67c83aea2abfd3cdc000667171325de78d7e698d7925aa61c81b160340b75
Opcode Fuzzy Hash: 2730a5cdc81e22d166de50b9b60e945d6a0753159efcbf0a7c1c73823c481d2a
Instruction Fuzzy Hash: 91D05B3090010DEF8B44DFB5F50455DB7F9EF44204B1089A9D408D7204DB315F009F94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 3468 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 02482370, Relevance: 2.0, Instructions: 2022COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454bd39618a1d66ad17688054a8bc51405c12a6b5906ef17a0647743cbd11996
Instruction ID: 75802a77191a01bdb07dc4a154781c70899d2dfbc82bb883de161eea849b5f0e
Opcode Fuzzy Hash: 454bd39618a1d66ad17688054a8bc51405c12a6b5906ef17a0647743cbd11996
Instruction Fuzzy Hash: 7F03A130A10219DBD711EF64CD44BE9B77BFF88300F5189A5E5087B2A5DBB0AA86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 024818C0, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

", xrefs: 02481B97

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b87d04f5d4727651589d5692b399b2d16a35e3ea4e1fbe818c577a3f69ed66b7
Instruction ID: c2669b6b14f1972e5354c1fe27233234ba4a6728554b06881daa5ab9385d47da
Opcode Fuzzy Hash: b87d04f5d4727651589d5692b399b2d16a35e3ea4e1fbe818c577a3f69ed66b7
Instruction Fuzzy Hash: 1902A034B106158FDB14EFA8C490BAEB7B6FF84304F10856BD4099B3A5DB70AD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 024851F9, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00496ade2bd8c189852946508ceb1ff2b7d2ab372555016e2637ecefb9b8c067
Instruction ID: a961c6e7b6f80ebbffac421876153854c76bd481d935b13fb648491f8a30a933
Opcode Fuzzy Hash: 00496ade2bd8c189852946508ceb1ff2b7d2ab372555016e2637ecefb9b8c067
Instruction Fuzzy Hash: FAF1AE30B102048FDB24EF64D854BAEB7F2BF84704F55846AD846AB795DB71EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02484400, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3009b249763fa9c775c3f0ae79b541d479df925c8192e78bc3cf99b8e09b2a1
Instruction ID: 0167158b09805f7a8df97f0eb4433204199f31ee43cc4ae485b40c2637b38da8
Opcode Fuzzy Hash: c3009b249763fa9c775c3f0ae79b541d479df925c8192e78bc3cf99b8e09b2a1
Instruction Fuzzy Hash: 69B19E30500646CFC715EF28C9C4EA9BBF6FF41324B46C8AAD4459B662D734F989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02480C62, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30685786b23199cc541add09519538df8465e9559c52b39cd4945f0a98e96ef
Instruction ID: 2d810a02e8dea7ab2490a9525bcde85c37342244fbe45b3b5be17d5228c33a54
Opcode Fuzzy Hash: a30685786b23199cc541add09519538df8465e9559c52b39cd4945f0a98e96ef
Instruction Fuzzy Hash: EF915E71A102089FCB05EFE5D8549EEBBFAFF88304F14842AE505A7364DB34994ADF51

Uniqueness

Uniqueness Score: -1.00%

Function 024855E0, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb43e28ec94040544162fb9172d3485cee62c66daee9db631b509d47e98c9d04
Instruction ID: 673f2bd0721354ba988608b3fec341384e22b65fa60a28c3e46b5589febae7ed
Opcode Fuzzy Hash: fb43e28ec94040544162fb9172d3485cee62c66daee9db631b509d47e98c9d04
Instruction Fuzzy Hash: 4D618F34B102149FCB14EF64D894BAEB7B2BF88710F558466E905EB3A1DB30AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 024813C8, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6927088f33256c3d65a9342da325808aab71c995e2031ad83c95b637177fb17
Instruction ID: 0856aa285c096e22b15619aa92e73f1c43795316bb80c677aa42ddb82caaf86d
Opcode Fuzzy Hash: f6927088f33256c3d65a9342da325808aab71c995e2031ad83c95b637177fb17
Instruction Fuzzy Hash: 9751C171E042589FCB05EBA998146EEBBF6FFC5210F0084BBD549D7251EB344A16CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02480448, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de54a2f54fa322d18062d604d24d954554a6c3747bb30d1b53d897b8bcd582a
Instruction ID: ea902acbdb9bfe8e00ac2559b7858c40faf0b0c222fb84d3bdfc56b00fbba85f
Opcode Fuzzy Hash: 0de54a2f54fa322d18062d604d24d954554a6c3747bb30d1b53d897b8bcd582a
Instruction Fuzzy Hash: 4E418034A10209DFCB44EBB8E455BDDBBF2FF84308F10982AD405AB761DB34994ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 024818B0, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3865ee490ef14d93a2d5f71ade1bdce977ebc9f949ac27617b68e83d84ec6924
Instruction ID: 802b67c27d2ca40e6e122de0f3f37d4f2f92fb30e4be6ddfe8a3d99fb2e451e6
Opcode Fuzzy Hash: 3865ee490ef14d93a2d5f71ade1bdce977ebc9f949ac27617b68e83d84ec6924
Instruction Fuzzy Hash: F241A074A00104CFD705EF68D854AAE7BB6FF89340B15896AE5099B375DB30AD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02481872, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d990ab3e88ed9b811058b7c9b90df38d3a26c5d00829a2300af8a694f5c65f
Instruction ID: c38cdf2c4c25d973f4b7f2e67c27ffdb069ebd1922abd10bdb767bbdd449a762
Opcode Fuzzy Hash: a5d990ab3e88ed9b811058b7c9b90df38d3a26c5d00829a2300af8a694f5c65f
Instruction Fuzzy Hash: C641C434600105CFC704EF78D8549AE7BF6FF85314B14896AE4599B375DB30AD0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02482360, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f426f821f90570e4fe7940d7559be2320669bc4bbeb0559a677d3871edcd4e
Instruction ID: d5f27e3a6e7a2ab9868a4fbc19af5f6e70686661aa72cc9898b99821acb510b7
Opcode Fuzzy Hash: e9f426f821f90570e4fe7940d7559be2320669bc4bbeb0559a677d3871edcd4e
Instruction Fuzzy Hash: 4F31CE30A10344CFDB15EB25D858BAE7BF2FF45300F05896AE806CB2A1C7B8D945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0248043A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ffc552b2747c6205cb35e352799cf80b73fbe935a608efdc51a84cb9c5406e
Instruction ID: fca5a24ee7eb92b81e25a53221d0557118d909dc077da006ae2d58d33f3d10e0
Opcode Fuzzy Hash: b3ffc552b2747c6205cb35e352799cf80b73fbe935a608efdc51a84cb9c5406e
Instruction Fuzzy Hash: E1316F34911209DFCB00EBE8E555ADDBBF6FF84308F109829E0046F765DB74998ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267799172.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_82d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5b20ffa124693422e6bce31866895b6a8bfc3d449029babc93e6ed924b7c23
Instruction ID: b7ece26bdb26afa294667baffcb9d9de89c6d813d521b9763e212c04081bdc8d
Opcode Fuzzy Hash: 4f5b20ffa124693422e6bce31866895b6a8bfc3d449029babc93e6ed924b7c23
Instruction Fuzzy Hash: 6D214871504344DFDB01DF50EAC0B16BFA5FB94328F20C569D8054F246C376E886C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0082D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267799172.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_82d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70c3932e40a806b324760d13a457c8437900b425eba094650eb54f2b18b0e9e
Instruction ID: f2ceed46f6902c1eb89ccad91e36bfab7d59755e90e8b5578215a28021867931
Opcode Fuzzy Hash: b70c3932e40a806b324760d13a457c8437900b425eba094650eb54f2b18b0e9e
Instruction Fuzzy Hash: 9A210371504344DFDB04EF50E9C4B56BFA5FB94328F24C9A9E8058B346C336E896D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 02481768, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702e89420c8ffd27eb10bdc86ac0df7bd62d70dfe6f1bebda4fccfa93c283a1c
Instruction ID: 5851511bc7ae7b259fc068669c61ff0d8ef312cf4205da9d0afdc3dc62fa0dcc
Opcode Fuzzy Hash: 702e89420c8ffd27eb10bdc86ac0df7bd62d70dfe6f1bebda4fccfa93c283a1c
Instruction Fuzzy Hash: 38217C70B101108FCB48EF78D4549AE77B1AF48308B2148AAE40ADB771DB31ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02481778, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c8cd150b92974d8563ed4b2112831649015db84b061ed8512a95391a64c84a
Instruction ID: cbbf8f87bfe1c9d74b1ef60bfc04f7f5bc51cdd49a19954c4775068a8131018a
Opcode Fuzzy Hash: 82c8cd150b92974d8563ed4b2112831649015db84b061ed8512a95391a64c84a
Instruction Fuzzy Hash: 2C213974B101108FCB48EB78D5549AE77B1AF48708B2149AAE40ADB3B1DB35ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02485819, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a049a5a15363d2bc96ced6232f5431977364a7eaca1fd0025b46978674dd6b
Instruction ID: ac1b0b9243c52f99a39ba2b8bbea45b199d3d84061dcf6086d172332cddc363f
Opcode Fuzzy Hash: e9a049a5a15363d2bc96ced6232f5431977364a7eaca1fd0025b46978674dd6b
Instruction Fuzzy Hash: F6113631A042545FC741EBB89C647AF7FB5EFC2224B4544ABD048DB211DB300D16C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02484B2A, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9d43e9e163bc5dc0d7bb57b664592e051063c2e2713c2a0be449b3b55b795d
Instruction ID: 30ed2bc0dff030924d988cbb4b0040c08e64547fd3fda1fa4cd0f58072ea508c
Opcode Fuzzy Hash: bc9d43e9e163bc5dc0d7bb57b664592e051063c2e2713c2a0be449b3b55b795d
Instruction Fuzzy Hash: FD116034A142158BDB14EBA4C8557EE77B2BF89314F544829C401FB794EB389D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02484B30, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28f0234997c4dc5dac2e0fd9d074af16a0fef3ca39667d2f41609a4be297e27
Instruction ID: 7c0e374447f35d15ff82c196b97b6ab93ede5ce7c816b1debc38f60255ffcb32
Opcode Fuzzy Hash: c28f0234997c4dc5dac2e0fd9d074af16a0fef3ca39667d2f41609a4be297e27
Instruction Fuzzy Hash: EF119D34A142158BDB04FBA4C851BEE76B6AB89218F504839C401FB790EF789946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267799172.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_82d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction ID: 07b32ed0fe2ad3058cb239444b2b5036b763c628b0fe1c00e9baad50cadc4999
Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction Fuzzy Hash: A811D376504380DFCB11DF10D9C4B16BF71FB94324F24C6A9D8454B656C336E89ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267799172.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_82d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction ID: e8019c57cf4605d4b86eeb96c6945b2a94e2422588513cadb6019f5cd448af6e
Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
Instruction Fuzzy Hash: 6311B176504380DFDB12CF14D6C4B16BF71FB94324F24C6A9D8054B656C376D89ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02480698, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ca0a117c8113074451321dd26e3fd5be8be1ff6c6b1f9227dddeb79ecc2d24
Instruction ID: fa5e28989c505596d91ae1897a6f699fbbf934dc9011901b03c63ee3da4fdcb9
Opcode Fuzzy Hash: a2ca0a117c8113074451321dd26e3fd5be8be1ff6c6b1f9227dddeb79ecc2d24
Instruction Fuzzy Hash: BAF0C2307203544BDF047770A4256AF3BA1AF81A59F00182EE942E73A1EFA8CC4AC7E1

Uniqueness

Uniqueness Score: -1.00%

Function 024806A8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fce3d5df361696c952e0f74863816c2738e0f53d240cf3cc2f2fac72abf43b
Instruction ID: e198780dd756af3f6cd6266df26c31728a06c910e44267f0f1160bbb478db647
Opcode Fuzzy Hash: 07fce3d5df361696c952e0f74863816c2738e0f53d240cf3cc2f2fac72abf43b
Instruction Fuzzy Hash: C7F090307203144BDF047774B825AAF3695AB81A49F00182DA942E37E4DFA4D84987E1

Uniqueness

Uniqueness Score: -1.00%

Function 02484D21, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea4185fbee3842da67711fd29c4d409a6c47c9e456675a22321bf64eafe0b78
Instruction ID: 7ca6a785b42c1f036f462b24672f4aedda96ed5a88847ef6c82b9f0e988d82c2
Opcode Fuzzy Hash: 8ea4185fbee3842da67711fd29c4d409a6c47c9e456675a22321bf64eafe0b78
Instruction Fuzzy Hash: C3F0E9313042909FC305DB79ECA899ABF75EFCA2507048476E489CB362DA709C0AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02480FB0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e88bf4647fab48a79c1516981db88fb4a6f3e7949b08e8bb33af39d6eb214b
Instruction ID: d8d09aca81994ce285ea5c689612e756f2bbfcf2efe1db3dd18d35f2dc3eb026
Opcode Fuzzy Hash: 69e88bf4647fab48a79c1516981db88fb4a6f3e7949b08e8bb33af39d6eb214b
Instruction Fuzzy Hash: BFF0F9B8601205CFDB04EFB0D158A69B7B1FF48309F20446AD40A9B7B5CB759806CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02484D30, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ee151f3fc6e594713bda97ba1b6a8b61bc875f0e47e7fae095fac9d5d984f9
Instruction ID: 6c9a3ca8a3f29314f1848b7d6b92b4d9ce4dd0796187f883455cccdc740b5932
Opcode Fuzzy Hash: 18ee151f3fc6e594713bda97ba1b6a8b61bc875f0e47e7fae095fac9d5d984f9
Instruction Fuzzy Hash: D3E09B353001149FC304DB65F848D9AF7A9FFC9251710843AE54AC3315DFB19C0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02480B28, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0433592dd5490e1a0bd5989bfaef15798896d70346dd6bc5bdffa5213dd4da93
Instruction ID: f79ffd9f832e50495b5c75cb1cf9f1f39d8f17e2f898396162a3418a538d13dc
Opcode Fuzzy Hash: 0433592dd5490e1a0bd5989bfaef15798896d70346dd6bc5bdffa5213dd4da93
Instruction Fuzzy Hash: 93E09230505388DFC741DFB4E82159D7FB5EF47200B1048E9D888EB132D6325E059B81

Uniqueness

Uniqueness Score: -1.00%

Function 02480B38, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.267955194.0000000002480000.00000040.00000001.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2480000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc72affa72fead0e7bcbeb0a9ef7b5f022667223a4d14b2e7e57732092d9d21e
Instruction ID: 2d299ff5a2d127d8a110bdbab309b3b9a1c45f5fa1e67462e2060710ee22ef73
Opcode Fuzzy Hash: cc72affa72fead0e7bcbeb0a9ef7b5f022667223a4d14b2e7e57732092d9d21e
Instruction Fuzzy Hash: 5CD05B3090110CEF8744DFF4F91595DB7F9FB45204B1088A9D808D7210DA315F049F95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report HUMVC_039873637892OIHGDHJZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

Function 0110B6C0, Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0110B6D0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre