Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TRwrC.exe

Overview

General Information

Sample Name:TRwrC.exe
Analysis ID:452192
MD5:eaa9755979d4edeac9c48ffb1f42551c
SHA1:0ba5fc95f551f89648e0ddae327e60ffa417712f
SHA256:6f6d5cffc1e927811613347c2c10f9071434fedde5780114089981e494b573a7
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Checks for debuggers (devices)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TRwrC.exe (PID: 2044 cmdline: 'C:\Users\user\Desktop\TRwrC.exe' MD5: EAA9755979D4EDEAC9C48FFB1F42551C)
  • dhcpmon.exe (PID: 5876 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EAA9755979D4EDEAC9C48FFB1F42551C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e8dbb34a-f657-4ae4-ba56-6d78335a", "Group": "Minecraft SMP10PC", "Domain1": "domingos-50227.portmap.io", "Domain2": "domingos-50227.portmap.io", "Port": 50227, "KeyboardLogging": "Disable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
TRwrC.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
TRwrC.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
TRwrC.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    TRwrC.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.dhcpmon.exe.34f3dc4.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          5.2.dhcpmon.exe.34f3dc4.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          0.0.TRwrC.exe.460000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0.0.TRwrC.exe.460000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          0.0.TRwrC.exe.460000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 22 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TRwrC.exe, ProcessId: 2044, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TRwrC.exe, ProcessId: 2044, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TRwrC.exe, ProcessId: 2044, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TRwrC.exe, ProcessId: 2044, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: TRwrC.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e8dbb34a-f657-4ae4-ba56-6d78335a", "Group": "Minecraft SMP10PC", "Domain1": "domingos-50227.portmap.io", "Domain2": "domingos-50227.portmap.io", "Port": 50227, "KeyboardLogging": "Disable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: TRwrC.exeVirustotal: Detection: 80%Perma Link
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: TRwrC.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: TRwrC.exeJoe Sandbox ML: detected
            Source: 5.2.dhcpmon.exe.d20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.0.TRwrC.exe.460000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 5.0.dhcpmon.exe.d20000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: TRwrC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: domingos-50227.portmap.io
            Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
            Source: dhcpmon.exe, 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: TRwrC.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: TRwrC.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: TRwrC.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.dhcpmon.exe.34f3dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_00D2524A5_2_00D2524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02FC2FA85_2_02FC2FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02FC23A05_2_02FC23A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02FC38505_2_02FC3850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02FC306F5_2_02FC306F
            Source: TRwrC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: TRwrC.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: TRwrC.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: TRwrC.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.2.dhcpmon.exe.34f3dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.34f3dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: TRwrC.exeStatic PE information: Section: .rsrc ZLIB complexity 0.999765625
            Source: dhcpmon.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.999765625
            Source: TRwrC.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: TRwrC.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: TRwrC.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: TRwrC.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: TRwrC.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: classification engineClassification label: mal100.troj.evad.winEXE@2/4@85/1
            Source: C:\Users\user\Desktop\TRwrC.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\TRwrC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e8dbb34a-f657-4ae4-ba56-6d78335a5ce4}
            Source: TRwrC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\TRwrC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: TRwrC.exeVirustotal: Detection: 80%
            Source: C:\Users\user\Desktop\TRwrC.exeFile read: C:\Users\user\Desktop\TRwrC.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\TRwrC.exe 'C:\Users\user\Desktop\TRwrC.exe'
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: C:\Users\user\Desktop\TRwrC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: TRwrC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: TRwrC.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: TRwrC.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: TRwrC.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: TRwrC.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.TRwrC.exe.460000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 5.2.dhcpmon.exe.d20000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 5.0.dhcpmon.exe.d20000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: C:\Users\user\Desktop\TRwrC.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\Desktop\TRwrC.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeWindow / User API: foregroundWindowGot 1007Jump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeWindow / User API: foregroundWindowGot 358Jump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exe TID: 1064Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exe TID: 1560Thread sleep time: -340000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6000Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\Desktop\TRwrC.exe.config
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\Desktop\TRwrC.exe\:Zone.Identifier:$DATA
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\TRwrC.exe.log
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\Desktop\TRwrC.exe:Zone.Identifier
            Source: C:\Users\user\Desktop\TRwrC.exeFile opened: C:\Users\user\Desktop\TRwrC.exe
            Source: C:\Users\user\Desktop\TRwrC.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\TRwrC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: TRwrC.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: TRwrC.exe, 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: TRwrC.exeString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: TRwrC.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.TRwrC.exe.460000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.451e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.4522a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.dhcpmon.exe.45195fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.dhcpmon.exe.d20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5876, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TRwrC.exe PID: 2044, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading2Input Capture11Security Software Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            TRwrC.exe80%VirustotalBrowse
            TRwrC.exe100%AviraTR/Dropper.MSIL.Gen7
            TRwrC.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.dhcpmon.exe.d20000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            0.0.TRwrC.exe.460000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            5.0.dhcpmon.exe.d20000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

            Domains

            SourceDetectionScannerLabelLink
            clientconfig.passport.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            domingos-50227.portmap.io0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            domingos-50227.portmap.io
            		unknown
            		unknowntrue
              		unknown
              clientconfig.passport.net
              		unknown
              		unknownfalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              domingos-50227.portmap.iotrue
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:452192
              Start date:21.07.2021
              Start time:23:08:11
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 43s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:TRwrC.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:22
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@2/4@85/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 66
              • Number of non-executed functions: 3
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 2.18.105.186, 20.190.160.74, 20.190.160.68, 20.190.160.1, 20.190.160.70, 20.190.160.135, 20.190.160.72, 20.190.160.9, 20.190.160.7, 104.83.121.10, 52.147.198.201, 204.79.197.200, 13.107.21.200, 20.50.102.62, 104.43.139.144, 23.54.113.53, 40.88.32.150, 13.88.21.125, 23.0.174.200, 23.0.174.185, 20.82.209.183, 40.112.88.60
              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, authgfx.msa.akadns6.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              23:09:01API Interceptor1035x Sleep call for process: TRwrC.exe modified
              23:09:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\TRwrC.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):207360
              Entropy (8bit):7.4462121180145955
              Encrypted:false
              SSDEEP:6144:wLV6Bta6dtJmakIM5EP5BqF9aK4qzdbmrcPSJ:wLV6BtpmkXBBq/aK4qzdgJ
              MD5:EAA9755979D4EDEAC9C48FFB1F42551C
              SHA1:0BA5FC95F551F89648E0DDAE327E60FFA417712F
              SHA-256:6F6D5CFFC1E927811613347C2C10F9071434FEDDE5780114089981E494B573A7
              SHA-512:37FC60D70C6E573EF2FF1CBDC984614E6ECECBEE34966FB11D21703B222A3D32D64F2D519B4617C2C33AB5AD81A60FCF65E8D39AB62C145A070657D94918BEDA
              Malicious:true
              Yara Hits:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\TRwrC.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\TRwrC.exe
              File Type:Non-ISO extended-ASCII text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:G8t:G8t
              MD5:17DF4C94B762C5452096EEE6EA66B7A2
              SHA1:B7A1FE5F514EBC025C887F1B6D5BA487571C4194
              SHA-256:D1188FFBAE4C49985758F21568E408700F8B7F43E769181C1477CA8C07571271
              SHA-512:42704F70997DBF94EF892B010D03E517482237063B0188766F663181575AFA552B0B7C32BE2624A854A3E3344D089865D36A3EF3248D6E71DF8A0E7507DE768A
              Malicious:true
              Reputation:low
              Preview: ..3.L.H

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.4462121180145955
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:TRwrC.exe
              File size:207360
              MD5:eaa9755979d4edeac9c48ffb1f42551c
              SHA1:0ba5fc95f551f89648e0ddae327e60ffa417712f
              SHA256:6f6d5cffc1e927811613347c2c10f9071434fedde5780114089981e494b573a7
              SHA512:37fc60d70c6e573ef2ff1cbdc984614e6ececbee34966fb11d21703b222a3d32d64f2d519b4617c2c33ab5ad81a60fcf65e8d39ab62c145a070657d94918beda
              SSDEEP:6144:wLV6Bta6dtJmakIM5EP5BqF9aK4qzdbmrcPSJ:wLV6BtpmkXBBq/aK4qzdgJ
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x41e792
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v2.0.50727
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15d98.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x1c7980x1c800False0.594503837719data6.59805919516IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .rsrc0x220000x15d980x15e00False0.999765625data7.99761824146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_RCDATA0x220580x15d40TIM image, (47583,3509)

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 21, 2021 23:08:52.847302914 CEST4987353192.168.2.38.8.8.8
              Jul 21, 2021 23:08:52.855791092 CEST5319653192.168.2.38.8.8.8
              Jul 21, 2021 23:08:52.886224031 CEST53531968.8.8.8192.168.2.3
              Jul 21, 2021 23:08:52.902782917 CEST53498738.8.8.8192.168.2.3
              Jul 21, 2021 23:08:53.093976974 CEST5677753192.168.2.38.8.8.8
              Jul 21, 2021 23:08:53.148514032 CEST53567778.8.8.8192.168.2.3
              Jul 21, 2021 23:08:53.683872938 CEST5864353192.168.2.38.8.8.8
              Jul 21, 2021 23:08:53.707981110 CEST53586438.8.8.8192.168.2.3
              Jul 21, 2021 23:08:54.065855980 CEST6098553192.168.2.38.8.8.8
              Jul 21, 2021 23:08:54.087191105 CEST53609858.8.8.8192.168.2.3
              Jul 21, 2021 23:08:54.208895922 CEST5020053192.168.2.38.8.8.8
              Jul 21, 2021 23:08:54.243390083 CEST53502008.8.8.8192.168.2.3
              Jul 21, 2021 23:08:54.387362957 CEST5128153192.168.2.38.8.8.8
              Jul 21, 2021 23:08:54.407809973 CEST53512818.8.8.8192.168.2.3
              Jul 21, 2021 23:08:55.776803970 CEST4919953192.168.2.38.8.8.8
              Jul 21, 2021 23:08:55.797533989 CEST53491998.8.8.8192.168.2.3
              Jul 21, 2021 23:08:56.651081085 CEST5062053192.168.2.38.8.8.8
              Jul 21, 2021 23:08:56.670444965 CEST6493853192.168.2.38.8.8.8
              Jul 21, 2021 23:08:56.677609921 CEST53506208.8.8.8192.168.2.3
              Jul 21, 2021 23:08:56.691862106 CEST53649388.8.8.8192.168.2.3
              Jul 21, 2021 23:08:57.594063997 CEST6015253192.168.2.38.8.8.8
              Jul 21, 2021 23:08:57.616206884 CEST53601528.8.8.8192.168.2.3
              Jul 21, 2021 23:08:58.464626074 CEST5754453192.168.2.38.8.8.8
              Jul 21, 2021 23:08:58.486408949 CEST53575448.8.8.8192.168.2.3
              Jul 21, 2021 23:08:59.644980907 CEST5598453192.168.2.38.8.8.8
              Jul 21, 2021 23:08:59.667809963 CEST53559848.8.8.8192.168.2.3
              Jul 21, 2021 23:09:00.406368971 CEST6418553192.168.2.38.8.8.8
              Jul 21, 2021 23:09:00.429897070 CEST53641858.8.8.8192.168.2.3
              Jul 21, 2021 23:09:01.546796083 CEST6511053192.168.2.38.8.8.8
              Jul 21, 2021 23:09:01.568749905 CEST53651108.8.8.8192.168.2.3
              Jul 21, 2021 23:09:02.412148952 CEST5836153192.168.2.38.8.8.8
              Jul 21, 2021 23:09:02.433403969 CEST53583618.8.8.8192.168.2.3
              Jul 21, 2021 23:09:03.011032104 CEST6349253192.168.2.38.8.8.8
              Jul 21, 2021 23:09:03.037568092 CEST53634928.8.8.8192.168.2.3
              Jul 21, 2021 23:09:03.097588062 CEST6083153192.168.2.38.8.4.4
              Jul 21, 2021 23:09:03.121460915 CEST53608318.8.4.4192.168.2.3
              Jul 21, 2021 23:09:03.250005007 CEST6010053192.168.2.38.8.8.8
              Jul 21, 2021 23:09:03.270798922 CEST53601008.8.8.8192.168.2.3
              Jul 21, 2021 23:09:03.559530020 CEST5319553192.168.2.38.8.8.8
              Jul 21, 2021 23:09:03.580380917 CEST53531958.8.8.8192.168.2.3
              Jul 21, 2021 23:09:05.714845896 CEST5014153192.168.2.38.8.8.8
              Jul 21, 2021 23:09:05.736140966 CEST53501418.8.8.8192.168.2.3
              Jul 21, 2021 23:09:06.639785051 CEST5302353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:06.661683083 CEST53530238.8.8.8192.168.2.3
              Jul 21, 2021 23:09:07.346379995 CEST4956353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:07.367633104 CEST53495638.8.8.8192.168.2.3
              Jul 21, 2021 23:09:07.371016026 CEST5135253192.168.2.38.8.4.4
              Jul 21, 2021 23:09:07.392586946 CEST53513528.8.4.4192.168.2.3
              Jul 21, 2021 23:09:07.402482033 CEST5934953192.168.2.38.8.8.8
              Jul 21, 2021 23:09:07.424400091 CEST53593498.8.8.8192.168.2.3
              Jul 21, 2021 23:09:08.021852970 CEST5708453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:08.043077946 CEST53570848.8.8.8192.168.2.3
              Jul 21, 2021 23:09:09.191437960 CEST5882353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:09.216686010 CEST53588238.8.8.8192.168.2.3
              Jul 21, 2021 23:09:10.022411108 CEST5756853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:10.043226957 CEST53575688.8.8.8192.168.2.3
              Jul 21, 2021 23:09:10.742333889 CEST5054053192.168.2.38.8.8.8
              Jul 21, 2021 23:09:10.769736052 CEST53505408.8.8.8192.168.2.3
              Jul 21, 2021 23:09:11.472805023 CEST5436653192.168.2.38.8.8.8
              Jul 21, 2021 23:09:11.494216919 CEST53543668.8.8.8192.168.2.3
              Jul 21, 2021 23:09:11.528441906 CEST5303453192.168.2.38.8.4.4
              Jul 21, 2021 23:09:11.550044060 CEST53530348.8.4.4192.168.2.3
              Jul 21, 2021 23:09:11.599323034 CEST5776253192.168.2.38.8.8.8
              Jul 21, 2021 23:09:11.622447968 CEST53577628.8.8.8192.168.2.3
              Jul 21, 2021 23:09:12.248806000 CEST5543553192.168.2.38.8.8.8
              Jul 21, 2021 23:09:12.270991087 CEST53554358.8.8.8192.168.2.3
              Jul 21, 2021 23:09:13.747412920 CEST5071353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:13.770509005 CEST53507138.8.8.8192.168.2.3
              Jul 21, 2021 23:09:14.922339916 CEST5613253192.168.2.38.8.8.8
              Jul 21, 2021 23:09:14.943660975 CEST53561328.8.8.8192.168.2.3
              Jul 21, 2021 23:09:15.702580929 CEST5898753192.168.2.38.8.8.8
              Jul 21, 2021 23:09:15.723352909 CEST53589878.8.8.8192.168.2.3
              Jul 21, 2021 23:09:15.726527929 CEST5657953192.168.2.38.8.4.4
              Jul 21, 2021 23:09:15.749783039 CEST53565798.8.4.4192.168.2.3
              Jul 21, 2021 23:09:15.755559921 CEST6063353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:15.777122974 CEST53606338.8.8.8192.168.2.3
              Jul 21, 2021 23:09:19.825299025 CEST6129253192.168.2.38.8.8.8
              Jul 21, 2021 23:09:19.846515894 CEST53612928.8.8.8192.168.2.3
              Jul 21, 2021 23:09:19.850053072 CEST6361953192.168.2.38.8.4.4
              Jul 21, 2021 23:09:19.871386051 CEST53636198.8.4.4192.168.2.3
              Jul 21, 2021 23:09:19.877332926 CEST6493853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:19.898648977 CEST53649388.8.8.8192.168.2.3
              Jul 21, 2021 23:09:23.963464975 CEST6194653192.168.2.38.8.8.8
              Jul 21, 2021 23:09:23.994505882 CEST53619468.8.8.8192.168.2.3
              Jul 21, 2021 23:09:23.998766899 CEST6491053192.168.2.38.8.4.4
              Jul 21, 2021 23:09:24.019367933 CEST53649108.8.4.4192.168.2.3
              Jul 21, 2021 23:09:24.060472965 CEST5212353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:24.083601952 CEST53521238.8.8.8192.168.2.3
              Jul 21, 2021 23:09:28.165015936 CEST5613053192.168.2.38.8.8.8
              Jul 21, 2021 23:09:28.187236071 CEST53561308.8.8.8192.168.2.3
              Jul 21, 2021 23:09:28.190262079 CEST5633853192.168.2.38.8.4.4
              Jul 21, 2021 23:09:28.211791992 CEST53563388.8.4.4192.168.2.3
              Jul 21, 2021 23:09:28.258061886 CEST5942053192.168.2.38.8.8.8
              Jul 21, 2021 23:09:28.279025078 CEST53594208.8.8.8192.168.2.3
              Jul 21, 2021 23:09:28.641820908 CEST5878453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:29.684156895 CEST5878453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:30.496121883 CEST6397853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:30.699744940 CEST5878453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:31.483283043 CEST6397853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:32.329732895 CEST6293853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:32.529369116 CEST6397853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:32.718816996 CEST5878453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:33.341167927 CEST6293853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:34.341768026 CEST6293853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:34.577634096 CEST6397853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:36.564687967 CEST6293853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:36.748841047 CEST5878453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:38.638210058 CEST6397853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:40.607577085 CEST6293853192.168.2.38.8.8.8
              Jul 21, 2021 23:09:44.785906076 CEST5570853192.168.2.38.8.4.4
              Jul 21, 2021 23:09:45.795742989 CEST5570853192.168.2.38.8.4.4
              Jul 21, 2021 23:09:46.841794968 CEST5570853192.168.2.38.8.4.4
              Jul 21, 2021 23:09:48.223098993 CEST5680353192.168.2.38.8.8.8
              Jul 21, 2021 23:09:48.251316071 CEST53568038.8.8.8192.168.2.3
              Jul 21, 2021 23:09:48.873285055 CEST5570853192.168.2.38.8.4.4
              Jul 21, 2021 23:09:48.895234108 CEST53557088.8.4.4192.168.2.3
              Jul 21, 2021 23:09:48.934243917 CEST5714553192.168.2.38.8.8.8
              Jul 21, 2021 23:09:48.957051039 CEST53571458.8.8.8192.168.2.3
              Jul 21, 2021 23:09:53.417315006 CEST5535953192.168.2.38.8.8.8
              Jul 21, 2021 23:09:53.439857006 CEST53553598.8.8.8192.168.2.3
              Jul 21, 2021 23:09:53.482561111 CEST5830653192.168.2.38.8.4.4
              Jul 21, 2021 23:09:53.504436016 CEST53583068.8.4.4192.168.2.3
              Jul 21, 2021 23:09:53.511677980 CEST6412453192.168.2.38.8.8.8
              Jul 21, 2021 23:09:53.534105062 CEST53641248.8.8.8192.168.2.3
              Jul 21, 2021 23:09:57.737369061 CEST4936153192.168.2.38.8.8.8
              Jul 21, 2021 23:09:57.760548115 CEST53493618.8.8.8192.168.2.3
              Jul 21, 2021 23:09:57.764597893 CEST6315053192.168.2.38.8.4.4
              Jul 21, 2021 23:09:57.788250923 CEST53631508.8.4.4192.168.2.3
              Jul 21, 2021 23:09:57.795141935 CEST5327953192.168.2.38.8.8.8
              Jul 21, 2021 23:09:57.819818020 CEST53532798.8.8.8192.168.2.3
              Jul 21, 2021 23:10:01.856786013 CEST5688153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:01.880403042 CEST53568818.8.8.8192.168.2.3
              Jul 21, 2021 23:10:01.884063959 CEST5364253192.168.2.38.8.4.4
              Jul 21, 2021 23:10:01.907223940 CEST53536428.8.4.4192.168.2.3
              Jul 21, 2021 23:10:01.946635008 CEST5566753192.168.2.38.8.8.8
              Jul 21, 2021 23:10:01.968517065 CEST53556678.8.8.8192.168.2.3
              Jul 21, 2021 23:10:06.039859056 CEST5483353192.168.2.38.8.8.8
              Jul 21, 2021 23:10:06.060714006 CEST53548338.8.8.8192.168.2.3
              Jul 21, 2021 23:10:06.091521978 CEST6247653192.168.2.38.8.4.4
              Jul 21, 2021 23:10:06.111661911 CEST53624768.8.4.4192.168.2.3
              Jul 21, 2021 23:10:06.130650997 CEST4970553192.168.2.38.8.8.8
              Jul 21, 2021 23:10:06.155224085 CEST53497058.8.8.8192.168.2.3
              Jul 21, 2021 23:10:10.255323887 CEST6147753192.168.2.38.8.8.8
              Jul 21, 2021 23:10:10.276299953 CEST53614778.8.8.8192.168.2.3
              Jul 21, 2021 23:10:10.283751011 CEST6163353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:10.306091070 CEST53616338.8.4.4192.168.2.3
              Jul 21, 2021 23:10:10.318248987 CEST5594953192.168.2.38.8.8.8
              Jul 21, 2021 23:10:10.339683056 CEST53559498.8.8.8192.168.2.3
              Jul 21, 2021 23:10:14.377334118 CEST5760153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:15.391719103 CEST5760153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:16.423003912 CEST5760153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:16.908930063 CEST4934253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:17.953933954 CEST4934253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:18.428855896 CEST5760153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:18.957823038 CEST4934253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:21.001005888 CEST4934253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:22.443547964 CEST5760153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:25.048624992 CEST4934253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:26.612273932 CEST5625353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:27.654588938 CEST5625353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:28.764767885 CEST5625353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:30.994569063 CEST5625353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:35.037904024 CEST5625353192.168.2.38.8.4.4
              Jul 21, 2021 23:10:35.066896915 CEST53562538.8.4.4192.168.2.3
              Jul 21, 2021 23:10:35.256297112 CEST4966753192.168.2.38.8.8.8
              Jul 21, 2021 23:10:35.285720110 CEST53496678.8.8.8192.168.2.3
              Jul 21, 2021 23:10:39.367691040 CEST5543953192.168.2.38.8.8.8
              Jul 21, 2021 23:10:39.393793106 CEST53554398.8.8.8192.168.2.3
              Jul 21, 2021 23:10:39.399648905 CEST5706953192.168.2.38.8.4.4
              Jul 21, 2021 23:10:39.424127102 CEST53570698.8.4.4192.168.2.3
              Jul 21, 2021 23:10:39.491625071 CEST5765953192.168.2.38.8.8.8
              Jul 21, 2021 23:10:39.517060041 CEST53576598.8.8.8192.168.2.3
              Jul 21, 2021 23:10:43.567359924 CEST5471753192.168.2.38.8.8.8
              Jul 21, 2021 23:10:43.593290091 CEST53547178.8.8.8192.168.2.3
              Jul 21, 2021 23:10:43.597448111 CEST6397553192.168.2.38.8.4.4
              Jul 21, 2021 23:10:43.623313904 CEST53639758.8.4.4192.168.2.3
              Jul 21, 2021 23:10:43.663613081 CEST5663953192.168.2.38.8.8.8
              Jul 21, 2021 23:10:43.688761950 CEST53566398.8.8.8192.168.2.3
              Jul 21, 2021 23:10:47.740528107 CEST5185653192.168.2.38.8.8.8
              Jul 21, 2021 23:10:47.767203093 CEST53518568.8.8.8192.168.2.3
              Jul 21, 2021 23:10:47.771562099 CEST5654653192.168.2.38.8.4.4
              Jul 21, 2021 23:10:47.799412012 CEST53565468.8.4.4192.168.2.3
              Jul 21, 2021 23:10:47.808650017 CEST6215253192.168.2.38.8.8.8
              Jul 21, 2021 23:10:47.833585024 CEST53621528.8.8.8192.168.2.3
              Jul 21, 2021 23:10:51.890292883 CEST5347053192.168.2.38.8.8.8
              Jul 21, 2021 23:10:51.921591997 CEST53534708.8.8.8192.168.2.3
              Jul 21, 2021 23:10:51.961401939 CEST5644653192.168.2.38.8.4.4
              Jul 21, 2021 23:10:51.991132021 CEST53564468.8.4.4192.168.2.3
              Jul 21, 2021 23:10:51.999831915 CEST5963153192.168.2.38.8.8.8
              Jul 21, 2021 23:10:52.025352955 CEST53596318.8.8.8192.168.2.3
              Jul 21, 2021 23:10:56.074913979 CEST5551553192.168.2.38.8.8.8
              Jul 21, 2021 23:10:56.101121902 CEST53555158.8.8.8192.168.2.3
              Jul 21, 2021 23:10:56.105568886 CEST6454753192.168.2.38.8.4.4
              Jul 21, 2021 23:10:56.131701946 CEST53645478.8.4.4192.168.2.3
              Jul 21, 2021 23:10:56.140166044 CEST5175953192.168.2.38.8.8.8
              Jul 21, 2021 23:10:56.173104048 CEST53517598.8.8.8192.168.2.3
              Jul 21, 2021 23:11:00.387906075 CEST5920753192.168.2.38.8.8.8
              Jul 21, 2021 23:11:00.412239075 CEST53592078.8.8.8192.168.2.3
              Jul 21, 2021 23:11:00.415723085 CEST5426953192.168.2.38.8.4.4
              Jul 21, 2021 23:11:00.441149950 CEST53542698.8.4.4192.168.2.3
              Jul 21, 2021 23:11:00.449387074 CEST5485653192.168.2.38.8.8.8
              Jul 21, 2021 23:11:00.476136923 CEST53548568.8.8.8192.168.2.3
              Jul 21, 2021 23:11:04.524609089 CEST6414053192.168.2.38.8.8.8
              Jul 21, 2021 23:11:04.550043106 CEST53641408.8.8.8192.168.2.3
              Jul 21, 2021 23:11:04.587970972 CEST6227153192.168.2.38.8.4.4
              Jul 21, 2021 23:11:04.612981081 CEST53622718.8.4.4192.168.2.3
              Jul 21, 2021 23:11:04.622313976 CEST5740453192.168.2.38.8.8.8
              Jul 21, 2021 23:11:04.648161888 CEST53574048.8.8.8192.168.2.3
              Jul 21, 2021 23:11:07.106154919 CEST6299753192.168.2.38.8.8.8
              Jul 21, 2021 23:11:07.153279066 CEST53629978.8.8.8192.168.2.3
              Jul 21, 2021 23:11:07.803303003 CEST5771253192.168.2.38.8.8.8
              Jul 21, 2021 23:11:07.856447935 CEST53577128.8.8.8192.168.2.3
              Jul 21, 2021 23:11:08.679136992 CEST6006553192.168.2.38.8.8.8
              Jul 21, 2021 23:11:08.704226017 CEST53600658.8.8.8192.168.2.3
              Jul 21, 2021 23:11:08.705286980 CEST5506853192.168.2.38.8.4.4
              Jul 21, 2021 23:11:08.731278896 CEST53550688.8.4.4192.168.2.3
              Jul 21, 2021 23:11:08.734215975 CEST6470053192.168.2.38.8.8.8
              Jul 21, 2021 23:11:08.759412050 CEST53647008.8.8.8192.168.2.3
              Jul 21, 2021 23:11:12.772248030 CEST6199853192.168.2.38.8.8.8
              Jul 21, 2021 23:11:12.802583933 CEST53619988.8.8.8192.168.2.3
              Jul 21, 2021 23:11:12.803313971 CEST5372453192.168.2.38.8.4.4
              Jul 21, 2021 23:11:12.833148956 CEST53537248.8.4.4192.168.2.3
              Jul 21, 2021 23:11:12.838100910 CEST5232853192.168.2.38.8.8.8
              Jul 21, 2021 23:11:12.866863966 CEST53523288.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jul 21, 2021 23:08:53.093976974 CEST192.168.2.38.8.8.80xdfcfStandard query (0)clientconfig.passport.netA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:03.011032104 CEST192.168.2.38.8.8.80x69faStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:03.097588062 CEST192.168.2.38.8.4.40x2425Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:03.250005007 CEST192.168.2.38.8.8.80x4c30Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.346379995 CEST192.168.2.38.8.8.80xc60bStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.371016026 CEST192.168.2.38.8.4.40xbabeStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.402482033 CEST192.168.2.38.8.8.80xebb6Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.472805023 CEST192.168.2.38.8.8.80xf314Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.528441906 CEST192.168.2.38.8.4.40x9d26Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.599323034 CEST192.168.2.38.8.8.80xb4baStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.702580929 CEST192.168.2.38.8.8.80xb08aStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.726527929 CEST192.168.2.38.8.4.40xbabStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.755559921 CEST192.168.2.38.8.8.80xb8c1Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.825299025 CEST192.168.2.38.8.8.80xa923Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.850053072 CEST192.168.2.38.8.4.40x4404Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.877332926 CEST192.168.2.38.8.8.80x7228Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:23.963464975 CEST192.168.2.38.8.8.80x800bStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:23.998766899 CEST192.168.2.38.8.4.40x6e27Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:24.060472965 CEST192.168.2.38.8.8.80x3a10Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.165015936 CEST192.168.2.38.8.8.80x2761Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.190262079 CEST192.168.2.38.8.4.40x1371Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.258061886 CEST192.168.2.38.8.8.80x8b80Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:32.329732895 CEST192.168.2.38.8.8.80xf2fbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:33.341167927 CEST192.168.2.38.8.8.80xf2fbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:34.341768026 CEST192.168.2.38.8.8.80xf2fbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:36.564687967 CEST192.168.2.38.8.8.80xf2fbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:40.607577085 CEST192.168.2.38.8.8.80xf2fbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:44.785906076 CEST192.168.2.38.8.4.40x3910Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:45.795742989 CEST192.168.2.38.8.4.40x3910Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:46.841794968 CEST192.168.2.38.8.4.40x3910Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:48.873285055 CEST192.168.2.38.8.4.40x3910Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:48.934243917 CEST192.168.2.38.8.8.80x5a51Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.417315006 CEST192.168.2.38.8.8.80xe61dStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.482561111 CEST192.168.2.38.8.4.40x4528Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.511677980 CEST192.168.2.38.8.8.80xc8deStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.737369061 CEST192.168.2.38.8.8.80x5b01Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.764597893 CEST192.168.2.38.8.4.40x19e5Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.795141935 CEST192.168.2.38.8.8.80x7942Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.856786013 CEST192.168.2.38.8.8.80x1491Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.884063959 CEST192.168.2.38.8.4.40xabfStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.946635008 CEST192.168.2.38.8.8.80x3e8cStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.039859056 CEST192.168.2.38.8.8.80x7f38Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.091521978 CEST192.168.2.38.8.4.40x6e91Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.130650997 CEST192.168.2.38.8.8.80x5c91Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.255323887 CEST192.168.2.38.8.8.80x5bfcStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.283751011 CEST192.168.2.38.8.4.40x6eddStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.318248987 CEST192.168.2.38.8.8.80x7e4fStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:14.377334118 CEST192.168.2.38.8.8.80xe54Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:15.391719103 CEST192.168.2.38.8.8.80xe54Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:16.423003912 CEST192.168.2.38.8.8.80xe54Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:18.428855896 CEST192.168.2.38.8.8.80xe54Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:22.443547964 CEST192.168.2.38.8.8.80xe54Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:26.612273932 CEST192.168.2.38.8.4.40x1112Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:27.654588938 CEST192.168.2.38.8.4.40x1112Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:28.764767885 CEST192.168.2.38.8.4.40x1112Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:30.994569063 CEST192.168.2.38.8.4.40x1112Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:35.037904024 CEST192.168.2.38.8.4.40x1112Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:35.256297112 CEST192.168.2.38.8.8.80x7713Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.367691040 CEST192.168.2.38.8.8.80x1ea7Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.399648905 CEST192.168.2.38.8.4.40x108cStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.491625071 CEST192.168.2.38.8.8.80xec2fStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.567359924 CEST192.168.2.38.8.8.80x10c3Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.597448111 CEST192.168.2.38.8.4.40x8a08Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.663613081 CEST192.168.2.38.8.8.80x3f28Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.740528107 CEST192.168.2.38.8.8.80xbb44Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.771562099 CEST192.168.2.38.8.4.40x36deStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.808650017 CEST192.168.2.38.8.8.80x4651Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:51.890292883 CEST192.168.2.38.8.8.80x1e9cStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:51.961401939 CEST192.168.2.38.8.4.40x2ee5Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:51.999831915 CEST192.168.2.38.8.8.80xf023Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.074913979 CEST192.168.2.38.8.8.80x8915Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.105568886 CEST192.168.2.38.8.4.40xa297Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.140166044 CEST192.168.2.38.8.8.80x1bbfStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.387906075 CEST192.168.2.38.8.8.80x7fb6Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.415723085 CEST192.168.2.38.8.4.40xdbfbStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.449387074 CEST192.168.2.38.8.8.80x52c7Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.524609089 CEST192.168.2.38.8.8.80xda29Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.587970972 CEST192.168.2.38.8.4.40xf82dStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.622313976 CEST192.168.2.38.8.8.80xc664Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.679136992 CEST192.168.2.38.8.8.80xfa5dStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.705286980 CEST192.168.2.38.8.4.40x4447Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.734215975 CEST192.168.2.38.8.8.80xb0e8Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.772248030 CEST192.168.2.38.8.8.80x41acStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.803313971 CEST192.168.2.38.8.4.40xb4e5Standard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.838100910 CEST192.168.2.38.8.8.80x8f5eStandard query (0)domingos-50227.portmap.ioA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jul 21, 2021 23:08:52.902782917 CEST8.8.8.8192.168.2.30x9cbNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
              Jul 21, 2021 23:08:53.148514032 CEST8.8.8.8192.168.2.30xdfcfNo error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)
              Jul 21, 2021 23:09:03.037568092 CEST8.8.8.8192.168.2.30x69faName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:03.121460915 CEST8.8.4.4192.168.2.30x2425Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:03.270798922 CEST8.8.8.8192.168.2.30x4c30Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.367633104 CEST8.8.8.8192.168.2.30xc60bName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.392586946 CEST8.8.4.4192.168.2.30xbabeName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:07.424400091 CEST8.8.8.8192.168.2.30xebb6Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.494216919 CEST8.8.8.8192.168.2.30xf314Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.550044060 CEST8.8.4.4192.168.2.30x9d26Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:11.622447968 CEST8.8.8.8192.168.2.30xb4baName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.723352909 CEST8.8.8.8192.168.2.30xb08aName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.749783039 CEST8.8.4.4192.168.2.30xbabName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:15.777122974 CEST8.8.8.8192.168.2.30xb8c1Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.846515894 CEST8.8.8.8192.168.2.30xa923Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.871386051 CEST8.8.4.4192.168.2.30x4404Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:19.898648977 CEST8.8.8.8192.168.2.30x7228Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:23.994505882 CEST8.8.8.8192.168.2.30x800bName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:24.019367933 CEST8.8.4.4192.168.2.30x6e27Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:24.083601952 CEST8.8.8.8192.168.2.30x3a10Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.187236071 CEST8.8.8.8192.168.2.30x2761Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.211791992 CEST8.8.4.4192.168.2.30x1371Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:28.279025078 CEST8.8.8.8192.168.2.30x8b80Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:48.895234108 CEST8.8.4.4192.168.2.30x3910Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:48.957051039 CEST8.8.8.8192.168.2.30x5a51Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.439857006 CEST8.8.8.8192.168.2.30xe61dName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.504436016 CEST8.8.4.4192.168.2.30x4528Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:53.534105062 CEST8.8.8.8192.168.2.30xc8deName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.760548115 CEST8.8.8.8192.168.2.30x5b01Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.788250923 CEST8.8.4.4192.168.2.30x19e5Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:09:57.819818020 CEST8.8.8.8192.168.2.30x7942Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.880403042 CEST8.8.8.8192.168.2.30x1491Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.907223940 CEST8.8.4.4192.168.2.30xabfName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:01.968517065 CEST8.8.8.8192.168.2.30x3e8cName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.060714006 CEST8.8.8.8192.168.2.30x7f38Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.111661911 CEST8.8.4.4192.168.2.30x6e91Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:06.155224085 CEST8.8.8.8192.168.2.30x5c91Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.276299953 CEST8.8.8.8192.168.2.30x5bfcName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.306091070 CEST8.8.4.4192.168.2.30x6eddName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:10.339683056 CEST8.8.8.8192.168.2.30x7e4fName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:35.066896915 CEST8.8.4.4192.168.2.30x1112Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:35.285720110 CEST8.8.8.8192.168.2.30x7713Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.393793106 CEST8.8.8.8192.168.2.30x1ea7Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.424127102 CEST8.8.4.4192.168.2.30x108cName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:39.517060041 CEST8.8.8.8192.168.2.30xec2fName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.593290091 CEST8.8.8.8192.168.2.30x10c3Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.623313904 CEST8.8.4.4192.168.2.30x8a08Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:43.688761950 CEST8.8.8.8192.168.2.30x3f28Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.767203093 CEST8.8.8.8192.168.2.30xbb44Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.799412012 CEST8.8.4.4192.168.2.30x36deName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:47.833585024 CEST8.8.8.8192.168.2.30x4651Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:51.921591997 CEST8.8.8.8192.168.2.30x1e9cName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:51.991132021 CEST8.8.4.4192.168.2.30x2ee5Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:52.025352955 CEST8.8.8.8192.168.2.30xf023Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.101121902 CEST8.8.8.8192.168.2.30x8915Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.131701946 CEST8.8.4.4192.168.2.30xa297Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:10:56.173104048 CEST8.8.8.8192.168.2.30x1bbfName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.412239075 CEST8.8.8.8192.168.2.30x7fb6Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.441149950 CEST8.8.4.4192.168.2.30xdbfbName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:00.476136923 CEST8.8.8.8192.168.2.30x52c7Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.550043106 CEST8.8.8.8192.168.2.30xda29Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.612981081 CEST8.8.4.4192.168.2.30xf82dName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:04.648161888 CEST8.8.8.8192.168.2.30xc664Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.704226017 CEST8.8.8.8192.168.2.30xfa5dName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.731278896 CEST8.8.4.4192.168.2.30x4447Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:08.759412050 CEST8.8.8.8192.168.2.30xb0e8Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.802583933 CEST8.8.8.8192.168.2.30x41acName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.833148956 CEST8.8.4.4192.168.2.30xb4e5Name error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)
              Jul 21, 2021 23:11:12.866863966 CEST8.8.8.8192.168.2.30x8f5eName error (3)domingos-50227.portmap.iononenoneA (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: TRwrC.exe PID: 2044 Parent PID: 5528

              General

              Start time:23:09:00
              Start date:21/07/2021
              Path:C:\Users\user\Desktop\TRwrC.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\TRwrC.exe'
              Imagebase:0x460000
              File size:207360 bytes
              MD5 hash:EAA9755979D4EDEAC9C48FFB1F42551C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.205379855.0000000000462000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 5876 Parent PID: 3388

              General

              Start time:23:09:13
              Start date:21/07/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0xd20000
              File size:207360 bytes
              MD5 hash:EAA9755979D4EDEAC9C48FFB1F42551C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.233225156.0000000000D22000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.250072753.00000000034D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.250132259.00000000044D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: dhcpmon.exe PID: 5876 Parent PID: 3388 dhcpmon.exeCOMMON

                Executed Functions

                Function 02FC3850, Relevance: 2.0, Strings: 1, Instructions: 759COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: >_Ir
                • API String ID: 0-3386957151
                • Opcode ID: e4e409df7710d65b9dc6ae74e76ab7ba739f41563794984f00eee5702305c0ef
                • Instruction ID: bbad9ca2268327a5c373429e419632ea8cae0a97cb06411400b7e0333f299925
                • Opcode Fuzzy Hash: e4e409df7710d65b9dc6ae74e76ab7ba739f41563794984f00eee5702305c0ef
                • Instruction Fuzzy Hash: 5752D371A0021ACFCB14CF58CA849ADBBF2FF85390B25C5AADA159F256D731ED41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC23A0, Relevance: .5, Instructions: 505COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39c66efe236cf4e06db4fb9a45f9270bb562c0941b99103b273aa12c8d014e41
                • Instruction ID: 6d7e2f901e3c9151df53701571e7844a6b3ceef171fa06b79e52b0e841c73596
                • Opcode Fuzzy Hash: 39c66efe236cf4e06db4fb9a45f9270bb562c0941b99103b273aa12c8d014e41
                • Instruction Fuzzy Hash: 9712CD71E04216CFDB28CF69C68066DBBF2FF88344F24816EDA069B265DB789C45CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2FA8, Relevance: .2, Instructions: 239COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 50ea7b1e0fa5949e16669ffc7ad3acb56b843be9adb35100f9d55d11181e7834
                • Instruction ID: d7a78bcdc3f45f2d50978c9689b8e4f672ec0f5b3af3c089d1b7d906aa40570e
                • Opcode Fuzzy Hash: 50ea7b1e0fa5949e16669ffc7ad3acb56b843be9adb35100f9d55d11181e7834
                • Instruction Fuzzy Hash: F5819F72F001169BD718DB69D940A6EBBE3AFC4794B29C0B9D505DB359DE31DC01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC09A5, Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: X1kr$X1kr$X1kr$X1kr
                • API String ID: 0-2451847431
                • Opcode ID: 663f3d955bbb65732b667a15b7c1eb55cf0c4e08c2738e58fdb7d41fe65f0138
                • Instruction ID: 4eefbdac0dba27b514ac631912c99ae8252dbb37292d88e636956038603ffc31
                • Opcode Fuzzy Hash: 663f3d955bbb65732b667a15b7c1eb55cf0c4e08c2738e58fdb7d41fe65f0138
                • Instruction Fuzzy Hash: DB51A431B00216DFCB15DBA4D954A6EB7B2EF84744F31856EE606DB264DF70AD02CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC02E8, Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: :@Dr$`5kr
                • API String ID: 0-2548079215
                • Opcode ID: 1ccc07979e133b409a28151f0de4ca12a11899ee3f3bbc4ac9bde297b561e63a
                • Instruction ID: 28ccf9137f81ea1309633de2f2d1ee1672a9070623dd46a67b7e94e7b6937136
                • Opcode Fuzzy Hash: 1ccc07979e133b409a28151f0de4ca12a11899ee3f3bbc4ac9bde297b561e63a
                • Instruction Fuzzy Hash: 6B71AF31B04216CFDB08DB68D550B6E7BA2AFC9750F24406ED606EB3A1DF759C02CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2D58, Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: $>_Ir
                • API String ID: 0-1787506450
                • Opcode ID: 63764d2cf325b8fd6ab723a3f7bce8350a4cccbcb277dd7a7403caef95b4333b
                • Instruction ID: 981cb09d2d8ad3bb341aa44667e74d2c4a174d435a5931900f93bf6361f2360d
                • Opcode Fuzzy Hash: 63764d2cf325b8fd6ab723a3f7bce8350a4cccbcb277dd7a7403caef95b4333b
                • Instruction Fuzzy Hash: 5241B5B1F04216CBCB24DF69C9405BE7B62EBC0395B34C47ECA16AB605C731D842C781
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: $ghr
                • API String ID: 0-1352911727
                • Opcode ID: cc02ff811a9e1172fc758be9d7acb50621a6c5cebc2ff2ce3b3bcefe576fb899
                • Instruction ID: b420b8cf20fe30c7bdb55a6a72f3a177acf7849e3e1248dd6be390cc772cb2ed
                • Opcode Fuzzy Hash: cc02ff811a9e1172fc758be9d7acb50621a6c5cebc2ff2ce3b3bcefe576fb899
                • Instruction Fuzzy Hash: 9622E334A00605CFCB28DF68C590A6ABBF2FF88340F20859ED95A9B755DB34AD85CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0142AAB1
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: dc006caea08d61993f7ed5c2ee2d394bfaf13c547ed6a5e85e6602e69159a173
                • Instruction ID: 15828ce43b3ddc65d5c369cf1ba1b106c0e7dfe596a1f23fb923b7b4d257e8a4
                • Opcode Fuzzy Hash: dc006caea08d61993f7ed5c2ee2d394bfaf13c547ed6a5e85e6602e69159a173
                • Instruction Fuzzy Hash: 1031A272544384AFE7228B25CC45F67BFECEF06710F0884ABED819B252D264A849CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E2C,981F1875,00000000,00000000,00000000,00000000), ref: 0142ABB4
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: d6e8e25a41696d84cb95d8813a62830ba25d0727766b19dcfc749ca0a718f37b
                • Instruction ID: d9cf53eef2a20fe3bc1eb845327015cfb93da02b2f5e17e8c5cddc65e8cf3398
                • Opcode Fuzzy Hash: d6e8e25a41696d84cb95d8813a62830ba25d0727766b19dcfc749ca0a718f37b
                • Instruction Fuzzy Hash: 2A319372109384AFE722CB25CC44F53BFF8EF06310F18849BEA858B263D264E549CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 030400F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 0304019D
                Memory Dump Source
                • Source File: 00000005.00000002.249420479.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: bb147250ed02fdfeb5dc395620866be7e1cb722f513e266edff258205642e426
                • Instruction ID: 3ab3023f504d5731321ba58812715a52a10a33d66f818503dfb587860026860c
                • Opcode Fuzzy Hash: bb147250ed02fdfeb5dc395620866be7e1cb722f513e266edff258205642e426
                • Instruction Fuzzy Hash: 233195B15097806FE712CB25DC44F56FFE8EF06210F0884AAE984DB292D375E909C761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0142AFEA
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 89f7d7f8c6c7143a521fdea3977b7cb725d9fc0562d7919c05e0e4dc8e9e3205
                • Instruction ID: 569d23767353b17be7f196d3ba93302911be10ff496d73f0ed05c11a952e89fe
                • Opcode Fuzzy Hash: 89f7d7f8c6c7143a521fdea3977b7cb725d9fc0562d7919c05e0e4dc8e9e3205
                • Instruction Fuzzy Hash: 6521B67144D3C06FD3138B259C51B22BFB4EF87610F0A81DBED84CB653D225A919C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0142AAB1
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 0e2b8af9f10bd78209e909c5cb420def25f9d368ef1f1e1bede9cce6243c59cd
                • Instruction ID: d8708067d1391d160ac3f65706671c9f6f98beb5ce9d85fbf7b3f7c497ee5e07
                • Opcode Fuzzy Hash: 0e2b8af9f10bd78209e909c5cb420def25f9d368ef1f1e1bede9cce6243c59cd
                • Instruction Fuzzy Hash: B121CD72500204AEE7219B28CD84F6BFBECEF04710F14846BEE419B651D670E8498BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0304012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 0304019D
                Memory Dump Source
                • Source File: 00000005.00000002.249420479.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 098977286155bb8ff3a1b7bc7d48f1228e6a4e9c2ba9823595a6fbbb75e3b967
                • Instruction ID: df79207568f62988b9fe99df57579ca66ba272d4224f3559d3f232c9d41efa79
                • Opcode Fuzzy Hash: 098977286155bb8ff3a1b7bc7d48f1228e6a4e9c2ba9823595a6fbbb75e3b967
                • Instruction Fuzzy Hash: D721CDB1501200AFE720DF29DC84F6AFBE8EF04310F1884AAEE489B251D770EA04CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E2C,981F1875,00000000,00000000,00000000,00000000), ref: 0142ABB4
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: f631fee518836495fbf14e7f27647eb1352488e0dfc04d321a064e4b91060221
                • Instruction ID: 34b7dba4750e7ad73652b828ea5d36d5ad86310e1a0c80c3406a28c7a2bd1639
                • Opcode Fuzzy Hash: f631fee518836495fbf14e7f27647eb1352488e0dfc04d321a064e4b91060221
                • Instruction Fuzzy Hash: 5D215B76500604AEE721CA29CC84F67BBE8EF05710F5488ABEE459B662D670E448CA71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0142A58A
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: b38c9f2266d97a00c9d5c543ca1b9896da539fcc9c7d3ee447846b79d949acd6
                • Instruction ID: 1c714f01970d754f37acc9e24c2be0fed8a6de889fe6ba366aba2f5428929bfd
                • Opcode Fuzzy Hash: b38c9f2266d97a00c9d5c543ca1b9896da539fcc9c7d3ee447846b79d949acd6
                • Instruction Fuzzy Hash: B911A272409380AFDB228F54DC44A62FFF4EF4A210F0884DAEE858B662C275A458DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0142B841
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 3537d158329d10e387ba07a89c2227dd91cbf304acb8591666659df6a4b0f89b
                • Instruction ID: a5e6f04ea1e105cdbe4c51afa379ee18755baf304199bd7a62aa01944803f15d
                • Opcode Fuzzy Hash: 3537d158329d10e387ba07a89c2227dd91cbf304acb8591666659df6a4b0f89b
                • Instruction Fuzzy Hash: 9A218E724097C09FDB138B25DC54A92BFB0EF17210F0D84DAEDC44F263D265A958DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0142BBB9
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 671f42900c675a1d0ea1da69225db90380cf826e53be7d2337e184468d60eb6a
                • Instruction ID: 25fcc09ecc9a7163781e32a63c6fb819b7a39a3806daffb30b0747875a2ef294
                • Opcode Fuzzy Hash: 671f42900c675a1d0ea1da69225db90380cf826e53be7d2337e184468d60eb6a
                • Instruction Fuzzy Hash: CB11B135409380AFDB228F25CC45B52FFB4EF06220F0884EEED858B663D275A458DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 0142BE70
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: e65be064c7ead570fc581b86265dc0984cf1561c54eeed4bdcf3c40d972f138f
                • Instruction ID: 6e21cb07f6f77c60f1af7922b611d6d593b5ee6565676d07e8d50133bffc2191
                • Opcode Fuzzy Hash: e65be064c7ead570fc581b86265dc0984cf1561c54eeed4bdcf3c40d972f138f
                • Instruction Fuzzy Hash: 27117C754093C0AFD7138B259C44B62BFB4DF47624F0980DBED848F263D2756848CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 0142B78A
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: b9430cdcaa8249a5e28e6305932f7768773ddcb63b1ad53f7385627f14034917
                • Instruction ID: 69062a6c91e92c94dd59e4353723be7a6a63aebd5e10e58420c5f8a7abc0954c
                • Opcode Fuzzy Hash: b9430cdcaa8249a5e28e6305932f7768773ddcb63b1ad53f7385627f14034917
                • Instruction Fuzzy Hash: 9E11A232404380AFDB228F64DC44A52FFF4EF49310F0885AEEE858B522C375A458DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 065b6370357d3d1ab56e18ff057e7546917bb4ef31907580df592db8ced8eb43
                • Instruction ID: e5558d5226ba74afdd7ec57f3385c4fa6f22dd42fc66299254139ca065c36503
                • Opcode Fuzzy Hash: 065b6370357d3d1ab56e18ff057e7546917bb4ef31907580df592db8ced8eb43
                • Instruction Fuzzy Hash: F9118C71449384AFD712CF25DC44B52BFB4EF42220F1984EBED498F263D279A948CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: f550239d05dbb4d0368e764cc6c66bbf19f3ef3bcd700422f4eec1f651f68219
                • Instruction ID: 6d5082660f8f8869f69ca46dce6d01b6b7a921b467a5f05e927c0ac778bf5384
                • Opcode Fuzzy Hash: f550239d05dbb4d0368e764cc6c66bbf19f3ef3bcd700422f4eec1f651f68219
                • Instruction Fuzzy Hash: 62117035405784AFD7228F15DC85A52FFF4EF06220F0984AAEE854B262D275A458CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 0142B78A
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 699053260382cd708e079ca941e849da980ddc41ad9df787f9d8648ffe28985e
                • Instruction ID: 4099511d6a905e297edd0a3a4ffe9f0b85e9f1bae3183491dd08b6d9679cbf62
                • Opcode Fuzzy Hash: 699053260382cd708e079ca941e849da980ddc41ad9df787f9d8648ffe28985e
                • Instruction Fuzzy Hash: C3016D32400600EFDB218F55D844B56FFE0EF48320F08C5AADE894A622D275E459DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0142A58A
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 47bc38938cb1880704ce36b8b0fbc0cce1ee2777c9eab4bcfd03ccfe8db8e720
                • Instruction ID: f7a64d352b33ed434e95d2dc3bf71ef39df83b9a4ca24bdc71ae30e9a7183a1c
                • Opcode Fuzzy Hash: 47bc38938cb1880704ce36b8b0fbc0cce1ee2777c9eab4bcfd03ccfe8db8e720
                • Instruction Fuzzy Hash: 97016D32400600EFDB218F55D844B56FFE0EF48320F18C9AADE494BA26D375E499DF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0142AFEA
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 956e7124e79efb4b92d7a2a8d2674eb50bb84e79c5555a88c1755418c9d8a5b5
                • Instruction ID: afe8a4a3b03c46b5e20c15513ea9047ce5dc4cb6dde07907741fe47472a6bc71
                • Opcode Fuzzy Hash: 956e7124e79efb4b92d7a2a8d2674eb50bb84e79c5555a88c1755418c9d8a5b5
                • Instruction Fuzzy Hash: 40014B76500600ABD614DF16DC86F26FBA8EB88B20F14816AED085B741E375F916CAA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0142BBB9
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 41329d577f677dbce3dd7199a9d5c2771c1cad0fd082abdd1298391ead86d15a
                • Instruction ID: f7e75ed806786d7cf44b35c65edf0061f6118b99ece10366dd99832e5f449ef0
                • Opcode Fuzzy Hash: 41329d577f677dbce3dd7199a9d5c2771c1cad0fd082abdd1298391ead86d15a
                • Instruction Fuzzy Hash: 03017135504640DFDB218F19DC45B66FFA4EF04320F18C0ABDE454BA66D275E458DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 8c81a2c339c189b8478eb113e71707a49dce8cacc5674850616952542ffac03a
                • Instruction ID: e12955ad880f13e53be4c946a789e19826625516cbb99774612a1b98d535b15b
                • Opcode Fuzzy Hash: 8c81a2c339c189b8478eb113e71707a49dce8cacc5674850616952542ffac03a
                • Instruction Fuzzy Hash: 6C018B758002409FDB11CF19D884766FFE4EF84320F68C4ABDE098B612D2B9E448CAA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0142B841
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: f9631d065b34b622500b37d2f718a708f677c06055e5bd744dae037fe1d0a72e
                • Instruction ID: 206e2ee73092b411c68300b57272b74da8cdaaec487c8b5cc4dfd1908d25d842
                • Opcode Fuzzy Hash: f9631d065b34b622500b37d2f718a708f677c06055e5bd744dae037fe1d0a72e
                • Instruction Fuzzy Hash: 96016235400744DFDB218F56D884B66FFE0EF04720F18C4ABDE494B622D2B5A458DF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: ac85c23709f0fbff96b35e27f0c5958aae0c3e693d6cdeb32f3c9b8471db02bc
                • Instruction ID: 0a83a44fd9945380403d91cad903a0bf6ee0317e526df23712e755b7e616725c
                • Opcode Fuzzy Hash: ac85c23709f0fbff96b35e27f0c5958aae0c3e693d6cdeb32f3c9b8471db02bc
                • Instruction Fuzzy Hash: 5C01AD39500604DFDB218F1AD885752FFA0EF05320F18C4ABDE4A0B622C2B5A459CF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0142BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 0142BE70
                Memory Dump Source
                • Source File: 00000005.00000002.249062122.000000000142A000.00000040.00000001.sdmp, Offset: 0142A000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 91b902dcefdda6678cb1762e05f4f361904d50f4c713e600cc3636d45f0e5ccd
                • Instruction ID: 2e020d1462942d1fcba8d48cf9ea9f5bacafd21714bb3d9f698df463561734b0
                • Opcode Fuzzy Hash: 91b902dcefdda6678cb1762e05f4f361904d50f4c713e600cc3636d45f0e5ccd
                • Instruction Fuzzy Hash: EEF0AF35804644DFDB208F19D884766FFA0EF04330F58C0ABDE494B322D2B5A488CEA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: $ghr
                • API String ID: 0-1352911727
                • Opcode ID: 4fe05132a4c91f0dbc3954dfa3d03542d6cc6ba62edfc11582ea468ec7bcb34d
                • Instruction ID: 82df8de72941aa00bfe14f90e4372abf7480d73261c279abfb22a3fe08ae157d
                • Opcode Fuzzy Hash: 4fe05132a4c91f0dbc3954dfa3d03542d6cc6ba62edfc11582ea468ec7bcb34d
                • Instruction Fuzzy Hash: 6451E234A01219CFDB18DF64C994B99BBB2FF49340F6040AED90AAB365CB359D84CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC1291, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: $ghr
                • API String ID: 0-1352911727
                • Opcode ID: 285ced107749f784c9095520b30f33d097296ea940ad672faa3f619265761005
                • Instruction ID: 11967c44605a533abb7ac11a284c3d3d12a1081671459a7fb7c4e3978baa6c49
                • Opcode Fuzzy Hash: 285ced107749f784c9095520b30f33d097296ea940ad672faa3f619265761005
                • Instruction Fuzzy Hash: 4C410574A04219CFDB64DF68D980BAEBBB1AF49344F2040AED90EAB351DB349D85CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: r*+
                • API String ID: 0-3221063712
                • Opcode ID: 9f040be237f65a178d3c965093790fa8421321ec91b0872a18f9e89d34dd7745
                • Instruction ID: 51214400adcd466a8cb4741d0aa24f5dce3d560565e146e970762a4bb8486473
                • Opcode Fuzzy Hash: 9f040be237f65a178d3c965093790fa8421321ec91b0872a18f9e89d34dd7745
                • Instruction Fuzzy Hash: 00412C31E0820ADFDB44DFA5C6456AEBBB1FF44344F2080AEDA02A7268DB758A45CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0681, Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a86594556796a25b295f8f89ee78cc84ba6dabbacd57018ebd88c848d23fdccc
                • Instruction ID: 03527056be4f4aab05c49a42e76fcffb083b3d72eb6a2031a974e3ec263e677c
                • Opcode Fuzzy Hash: a86594556796a25b295f8f89ee78cc84ba6dabbacd57018ebd88c848d23fdccc
                • Instruction Fuzzy Hash: A5418A71600205CBD728AF38E95866D3BA6FF80742764457EEA42CB2B8DFB44C42DB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0BC0, Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3daefba6a340f7f89ce48121ffd14a4de478767b9a6533241828c761bf415ab
                • Instruction ID: 53b6e171f2ea8e34a00638710307ed596e5f598ec35299e999b5e4f2c535628c
                • Opcode Fuzzy Hash: d3daefba6a340f7f89ce48121ffd14a4de478767b9a6533241828c761bf415ab
                • Instruction Fuzzy Hash: 21419631B04114CFC715DF68C514AAE7BE6AFC5350F25806FEA06AF2A1CEB59C0AC791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2BF8, Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2517aaea6e564aab6cd38b0dbb4a0ef8ccf0ef17c38e93bb169f043add3427cf
                • Instruction ID: 9538620aa092ff6584b66b650e0c66efd84e418efdd19b3b47febbba6f7e5f95
                • Opcode Fuzzy Hash: 2517aaea6e564aab6cd38b0dbb4a0ef8ccf0ef17c38e93bb169f043add3427cf
                • Instruction Fuzzy Hash: EB41E73160D396CFC315C724DE849B87BB4EF822B4B2982AFDE56CB162C7659C09C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC02D9, Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 897546de50d3d7989d77f8c548378ecf1624975a1bcc1c839a55aa5f240167e2
                • Instruction ID: 04496c1f8f2cd0a1a74129114767ecbdcb1c5f92369a53d742e7957cfd16347a
                • Opcode Fuzzy Hash: 897546de50d3d7989d77f8c548378ecf1624975a1bcc1c839a55aa5f240167e2
                • Instruction Fuzzy Hash: CF416B30F05206DFDB08CB68D254BAE7BB2AF89740F24446DD602AB3A1DF719D02CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC20D0, Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c81c3e9bfe6cb87ff37c743198b6466aaa3f3f35714f089851c97b6e7a8ed18
                • Instruction ID: 4191795110245c16222a66a4bb0e26766be0f09cc337d9f2d31def2d0fb76cfe
                • Opcode Fuzzy Hash: 8c81c3e9bfe6cb87ff37c743198b6466aaa3f3f35714f089851c97b6e7a8ed18
                • Instruction Fuzzy Hash: A331AF31B08206CFEB05DF68C98067E7BB6FB84380B21806BCE069B355DB309C41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0006, Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 612e2d6165af1c3ba47661179c9d37c2bf667df01983c392970cde8762519c61
                • Instruction ID: 5bfdf15840431a4c7b31c0f3df5ea9b7e1eee2221297b48c97ebe47f0f3e2716
                • Opcode Fuzzy Hash: 612e2d6165af1c3ba47661179c9d37c2bf667df01983c392970cde8762519c61
                • Instruction Fuzzy Hash: DA316D7060E3C2DFC7069B7498644583FB1EE8321471A45DFD9C5CB2A7DA795C06DB22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC21E8, Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c7c47cb706900ae4aae9d7629c4ea47b898cc65c59016ab0600eda974ff304b3
                • Instruction ID: 09a2ff000c182b37c63a0cbfd205b258e50cf30113d026c9a66243c7f50cb914
                • Opcode Fuzzy Hash: c7c47cb706900ae4aae9d7629c4ea47b898cc65c59016ab0600eda974ff304b3
                • Instruction Fuzzy Hash: FB314971E0820ADFDB94DFA4C6446FDBBB1FB45344F2041AECA02A7268DB359A45CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC25DE, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dfa4ed8c5092614ad7df78e5682750e9fd1c882e2d26c38a0c867f13662a454
                • Instruction ID: b2046c1a020d5ac1625760f2d6d79a45607ab726dba1ea794a717cc9eedcba8d
                • Opcode Fuzzy Hash: 6dfa4ed8c5092614ad7df78e5682750e9fd1c882e2d26c38a0c867f13662a454
                • Instruction Fuzzy Hash: 0C318B70E00246CFEB60DF65D54075ABBB2FF84354F20C56EC905AB268DBB89889CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC4190, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 887c047919f6b994150d5619345c2b544ece491d76cb01e76b09b57c8e34a713
                • Instruction ID: 2a8ee174c1af66f28ac73ad591624190a3ea6083df7d99dbc5e4b32cbe453e49
                • Opcode Fuzzy Hash: 887c047919f6b994150d5619345c2b544ece491d76cb01e76b09b57c8e34a713
                • Instruction Fuzzy Hash: 4F11B772B002178BDB24ABB5D5255FF7AB6EFD4380F61412FD60797284DE748840C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC4180, Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0aeb866f1795a8871ee95957ae0b6d262ef767d004004eecb83984c697b3849
                • Instruction ID: b95998ef8d40cb8f9b2b0146245d2339e80e7e1e4ca5bc7a4f7e9ae8ee4929e4
                • Opcode Fuzzy Hash: f0aeb866f1795a8871ee95957ae0b6d262ef767d004004eecb83984c697b3849
                • Instruction Fuzzy Hash: 2E110D72B002179BDF259BB4E9115FF7BBAEFD4380B21412F9A02D7244DD748844C761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0308087C, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48a60515e06aaadcfbbaf428a1ff36abf878cecce83f9ec193dfa13c98e69369
                • Instruction ID: 99fe14f2bf1613f91510cc9ff0bcc77dbb7f95e6cad84b0ae4bcd94fc25dca1c
                • Opcode Fuzzy Hash: 48a60515e06aaadcfbbaf428a1ff36abf878cecce83f9ec193dfa13c98e69369
                • Instruction Fuzzy Hash: 2311E434205784EFE305EB14C540B2ABBD5AB88708F28C9ACE9C90B643C777D847CA91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0308084C, Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b027ceeec7da088a69f0417d2574a5c663489f02ce9114b23561bef6d2be65f
                • Instruction ID: b43a57a89e20bc8fc9d02d9192da7a585ba5ccf3c9cf5087b90f1fa2ca4b7760
                • Opcode Fuzzy Hash: 4b027ceeec7da088a69f0417d2574a5c663489f02ce9114b23561bef6d2be65f
                • Instruction Fuzzy Hash: 1721AE3410A3C4AFD713CB20C850B15BFB1AF46208F1D86DED8C48B6A3C33A880ACB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2390, Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d6a46d241373464e6ea85e94ea6dfbc058a9bf18207f2e2117dd9a0eb380386
                • Instruction ID: 9d850db421558a2d242508a4357c19f66ab8857e9e18fc1845e216656270018e
                • Opcode Fuzzy Hash: 1d6a46d241373464e6ea85e94ea6dfbc058a9bf18207f2e2117dd9a0eb380386
                • Instruction Fuzzy Hash: 35115AB1E1420ACFDB188FA4CA446BEBBB1FB44381F20416ECE02A7350DB755946CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03080820, Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6baa845b462e407f133833106df93abdbefc9f5326f21f0996832f4b39a59c44
                • Instruction ID: 607cb572a977f9bcf66ef3ad1e207dd0c421d115ec8094e663a6fbbef3f07082
                • Opcode Fuzzy Hash: 6baa845b462e407f133833106df93abdbefc9f5326f21f0996832f4b39a59c44
                • Instruction Fuzzy Hash: 1C21903010A380EFD703DB20C840B11BFE1EB86714F2989EED8C54B653C37A984ACB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC11DF, Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4316ad8fbda8b3ab00cc087edb583028b09d9ba6cd479ec142337f8662fa5fd7
                • Instruction ID: 12bb63e2ae8074d657e7317abb5833a9b6e9fbf1b1dd70aa7db319f3cd21417e
                • Opcode Fuzzy Hash: 4316ad8fbda8b3ab00cc087edb583028b09d9ba6cd479ec142337f8662fa5fd7
                • Instruction Fuzzy Hash: 2811E935308281CFC7059B28D5548AA7FF6BF8625072540EFD646CB2B7CE668C09CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC05B9, Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9ff1707297ba6c24ae995d3e2bc48df82bc83b4fafdba8a5026b7f3f08a77cf
                • Instruction ID: fb50f2c89260b07267b8b74dd7530bf871d620c76a837173ea0c43df11dfb6df
                • Opcode Fuzzy Hash: f9ff1707297ba6c24ae995d3e2bc48df82bc83b4fafdba8a5026b7f3f08a77cf
                • Instruction Fuzzy Hash: 5A01FD313042225BCB09AA3D94106BE369B9FC9A50798806FE206DF3D0CEB58C4357D7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC1209, Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b373445c67f8aa9a08414dc9fe92e975b81ffff560f5736733d89eb80b1af65c
                • Instruction ID: d12a81184874f334eeca66ad882f46e74567f0a4eb8f9121b87bfb064583c20e
                • Opcode Fuzzy Hash: b373445c67f8aa9a08414dc9fe92e975b81ffff560f5736733d89eb80b1af65c
                • Instruction Fuzzy Hash: 1E01B535308141CFC7049B28D1548AA7BEAFFC525072540FED50ACB376CE768C09CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 030805CF, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 882ff24dcfc83f271bd2b0c62afb13d735d7d7a19707de127206ac611a654c13
                • Instruction ID: 1bf759b53b753deacd4861e1144c4f0f9cd48ca311ae27a6324941652997a39c
                • Opcode Fuzzy Hash: 882ff24dcfc83f271bd2b0c62afb13d735d7d7a19707de127206ac611a654c13
                • Instruction Fuzzy Hash: 7701D6765097806FD7128F16EC40862FFB8DE8762070CC0EFED498B652D125A808CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC05C8, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d3a2d7a9ca261004d013fafbaaf257bbe1c47c310a49334d221d5dfec374040
                • Instruction ID: 1c712e99691e126d0727419d8f6821eead43c1a5da5da617e86b277355f823ea
                • Opcode Fuzzy Hash: 2d3a2d7a9ca261004d013fafbaaf257bbe1c47c310a49334d221d5dfec374040
                • Instruction Fuzzy Hash: D9F0B47270013247CA487A7D941177F628B9BC8A907A4412FD306DB394CEB48C4357DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC1218, Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89457f1cb9d5b0090cbfbe245f0caff2a6045dbf1c833bcb587b0d3a6987a5dc
                • Instruction ID: c03dccf87b6fdaad109fd16827413bbd3fc90453dccdf83339167ca21ceed4df
                • Opcode Fuzzy Hash: 89457f1cb9d5b0090cbfbe245f0caff2a6045dbf1c833bcb587b0d3a6987a5dc
                • Instruction Fuzzy Hash: B2013135304011CBC6089B2CD1589AEBBEAFFD575076441AEE60ACB779CFB69C19CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 030805A0, Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 843aace731ed776274d000e6ffc4b47505ab44d2500d6dad9507426b8ea3560b
                • Instruction ID: be1dd7b23bb3385d2495dd1b34ae3d13cc6c0ae4f0494ec44d09e1530706a4ad
                • Opcode Fuzzy Hash: 843aace731ed776274d000e6ffc4b47505ab44d2500d6dad9507426b8ea3560b
                • Instruction Fuzzy Hash: 61F0E272501A409BCA10DF1EEC81492FB98EB88630B18C47FDC498B700E139B409CEA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0918, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b03a7fd583c77a1fbe16d93633529711f4189ebadb4b5c0f34ef02b029f8add3
                • Instruction ID: 24c33d1a2761f1bae7fd8e70d3e7082d982ad39d85fad3ad678c41c8b6c89ae8
                • Opcode Fuzzy Hash: b03a7fd583c77a1fbe16d93633529711f4189ebadb4b5c0f34ef02b029f8add3
                • Instruction Fuzzy Hash: 9AE0E533F15219DA9B546AF8DA206AFBBA997D52D0F20442F9B07A3300DD704813C291
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0908, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff99176d624dbac80fd1cab92cbe10919564a694ea3d1c0e165e66df6982a423
                • Instruction ID: 5cd1802db5b6578c2044863f9178fb6cb7955f982eeee624bdf4cdadd985a5f4
                • Opcode Fuzzy Hash: ff99176d624dbac80fd1cab92cbe10919564a694ea3d1c0e165e66df6982a423
                • Instruction Fuzzy Hash: 85F05230E18355CFC7A85AF08A206BB3BB49B82290B1004AF8E0397341CD784C07C361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03080938, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                • Instruction ID: 375ff6f1c869045d1c397f4fa117863ddeb7014edde10633bf2a56d380d8f499
                • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                • Instruction Fuzzy Hash: 18F01D35204644EFC305DF00D540B25FBE6EB89718F24CAADE9890B752C337D813DA81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 030805F6, Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249425715.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ceb70d79e7e73a09640e1a0eed81db904792d0b46a9c0efc890450a0c482cadb
                • Instruction ID: fcc1e9f0f8d771e42e0ef9f6e3ee50b8e31fc8a1101edd2e486c1b8b522763ee
                • Opcode Fuzzy Hash: ceb70d79e7e73a09640e1a0eed81db904792d0b46a9c0efc890450a0c482cadb
                • Instruction Fuzzy Hash: 04E06D766006009BD650CF0AEC41456F7D8EB88630B18C07FDC0D8B700E135B504CEA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC02A1, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a7ed0064b6bcf408dfa3e0c2dafbeee23104c11991cdd5f1bec055b8fc5ea69
                • Instruction ID: 3838f2afca128a12bc9d6a1c423872f4512bcd4108422fbc6636685011048f31
                • Opcode Fuzzy Hash: 3a7ed0064b6bcf408dfa3e0c2dafbeee23104c11991cdd5f1bec055b8fc5ea69
                • Instruction Fuzzy Hash: 0FE0C231208705DFC3918A10E9554E177F0FB822203118A0EC88286518CB347E07CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC016F, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d5e7d98af2e0b0fd2afacbfe3e215f1e838c5ab461482ef80ecb0b0f24adce1
                • Instruction ID: c3d9d1c4b4b2d2811ac122a31ab0bbcdf827c6b3aed2d093a2ceb968c495ffc7
                • Opcode Fuzzy Hash: 9d5e7d98af2e0b0fd2afacbfe3e215f1e838c5ab461482ef80ecb0b0f24adce1
                • Instruction Fuzzy Hash: 3BE01272641301DFDB155B74E4591AC3761EF5626130106BAC826C76E0DA3A8846DA10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0650, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c296cb5c5e02b0b36385a213bacba27f27db9ee045235388681f51e6d4e47ddc
                • Instruction ID: 492ebbc6e1b8e9b47c2df784302a97253f3198df80bd76469275ea248ce0c37d
                • Opcode Fuzzy Hash: c296cb5c5e02b0b36385a213bacba27f27db9ee045235388681f51e6d4e47ddc
                • Instruction Fuzzy Hash: 19D02B7258D391CFC3555A7018110B477A0DA93251714847FD94181161C53F4413DF22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2D20, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dbf50df5f7edd6da16cdb7a0bf4d6112dc32e53d0e4349ae99cd7403f86e343
                • Instruction ID: 6c27461c7577082fe9ffdd08b42df419bb5336726629ac8467b7c02227dd96d1
                • Opcode Fuzzy Hash: 6dbf50df5f7edd6da16cdb7a0bf4d6112dc32e53d0e4349ae99cd7403f86e343
                • Instruction Fuzzy Hash: 47D05E312DC386AFD7D502909925BB53BB0DB6A351F2809AB9A4B9E4BA81584505C612
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014223F4, Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249055942.0000000001422000.00000040.00000001.sdmp, Offset: 01422000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c624586d15a6301a19294fb0f151ef4fcb5b06d8e64fb2b0d7e35d5c292a1cc
                • Instruction ID: 05ca6f995e889b1cdb84bc4d6b9aea27be4241a4a3cd3af3acdaf7db149cc8b5
                • Opcode Fuzzy Hash: 5c624586d15a6301a19294fb0f151ef4fcb5b06d8e64fb2b0d7e35d5c292a1cc
                • Instruction Fuzzy Hash: ADD05B752156A14FD3168A1CC164F553FA4AB51B04F4644FEE8008B773C3A8D5C1D510
                Uniqueness

                Uniqueness Score: -1.00%

                Function 014223BC, Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249055942.0000000001422000.00000040.00000001.sdmp, Offset: 01422000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2797c6c20778cf092a0b9335ffa32ba3c658d4849fc96660c686bb4f67a47dc
                • Instruction ID: 7751c383828e0b387a47cee56bce8228bf0b55024c2ee2292080941924394390
                • Opcode Fuzzy Hash: c2797c6c20778cf092a0b9335ffa32ba3c658d4849fc96660c686bb4f67a47dc
                • Instruction Fuzzy Hash: 64D05E342002818BD719DB1CC594F5A3BD4AF41B00F0644E9ED00CB772C3B4D8C1C600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0180, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5fa7f79f634bc8186c83c356f045081401090f66651ba913d7167d7fa39a34fe
                • Instruction ID: eac494c9ade08240101e71861828b9c2326737fbb93e212f796b802e954d23d0
                • Opcode Fuzzy Hash: 5fa7f79f634bc8186c83c356f045081401090f66651ba913d7167d7fa39a34fe
                • Instruction Fuzzy Hash: 05D01271201306CFDB282BB4E01842833AAAB89206301087DD80A877A4EF3AE890CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0660, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44c7d93084392ff89a62b298c48253a71c9be89285b919cc4ef106a40851ffa5
                • Instruction ID: fdf12589d88da2edc81a456615c1409ae03331786a0a0b766febddf5804c99a1
                • Opcode Fuzzy Hash: 44c7d93084392ff89a62b298c48253a71c9be89285b919cc4ef106a40851ffa5
                • Instruction Fuzzy Hash: A3C02B73145265CEC2143E702904439720997C1302320C43D9601002308D339473ED11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC2EC0, Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97bf30406fb83c93f5e7aa290c75ea27253371a40b3486cee3248fa1f5c61f2d
                • Instruction ID: 06eea4f58766432704d0002257db8c3d2d8843e376891df07a44e53eeb31f2e9
                • Opcode Fuzzy Hash: 97bf30406fb83c93f5e7aa290c75ea27253371a40b3486cee3248fa1f5c61f2d
                • Instruction Fuzzy Hash: F0B012302082090B2B5056B56808B12338C864054975000689D0CD1000FA90D0902240
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00D2524A, Relevance: .6, Instructions: 585COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.248661530.0000000000D22000.00000002.00020000.sdmp, Offset: 00D20000, based on PE: true
                • Associated: 00000005.00000002.248654784.0000000000D20000.00000002.00020000.sdmp Download File
                • Associated: 00000005.00000002.248686935.0000000000D42000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                • Instruction ID: 122b0dfde3043ec7decf792f152e59f8cad064651fb85cbb92c4c4b19660f033
                • Opcode Fuzzy Hash: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                • Instruction Fuzzy Hash: 9932646144F7D14FD7235B789CB86A17FB0AE6321471E49CBC0C1CE4A7EA29591AC732
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC306F, Relevance: .2, Instructions: 179COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 481425785ac2704732ab8bcafe1013cb63eb1f6ca15190ed6bf29d10d009935f
                • Instruction ID: 6cdd087696e7ebb00083e9562bd5a8a9a3c84c91dd8d60207b8ba44e7e7b08ce
                • Opcode Fuzzy Hash: 481425785ac2704732ab8bcafe1013cb63eb1f6ca15190ed6bf29d10d009935f
                • Instruction Fuzzy Hash: EB515D72F015159BD718DB6DC980A5EBBE3AFC8350F2AC1A9D505EB3A9DE30DD018B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02FC0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.249287229.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
                Similarity
                • API ID:
                • String ID: ,:kr$0jr$:@Dr$X1kr
                • API String ID: 0-1245831938
                • Opcode ID: 22e26f7abea1d9bd3c08b0d6c1ec4cbd88e2d0b520ac6993660c30f4c2a7997c
                • Instruction ID: 163448d139dc45908a9158fea8cc2f0b6c200c9c7b41900cadd5d002920cdf4d
                • Opcode Fuzzy Hash: 22e26f7abea1d9bd3c08b0d6c1ec4cbd88e2d0b520ac6993660c30f4c2a7997c
                • Instruction Fuzzy Hash: EFB1A570A05344CFD3A8DF789260B6ABBE2FB94704F60596EE5898B394DF759C41CB02
                Uniqueness

                Uniqueness Score: -1.00%