Windows Analysis Report doa8GHSloq

Overview

General Information

Sample Name:	doa8GHSloq (renamed file extension from none to exe)
Analysis ID:	508792
MD5:	f85ca66e06121eb29b26d78cc3f64554
SHA1:	141bc2598b79d80bb3ceda6fe98c49ab7c694dd8
SHA256:	2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b4ede67b-be7e-44fd-9e96-0c0f6d15", "Group": "Default", "Domain1": "watermalon1.sytes.net", "Domain2": "", "Port": 2010, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Source: Yara match	File source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR

Machine Learning detection for sample

Source: doa8GHSloq.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 19.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.doa8GHSloq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: doa8GHSloq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 052D2606h	0_2_052D2568
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 052D2606h	0_2_052D25CA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 05FE2606h	14_2_05FE2568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06BF2606h	16_2_06BF2568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 05882606h	20_2_05882568

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49795 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49797 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49800 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49815 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49827 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49828 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49829 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49830 -> 37.0.10.144:2010

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: watermalon1.sytes.net

Source: doa8GHSloq.exe, 00000000.00000003.282939049.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC.
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-uB
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comold
Source: doa8GHSloq.exe, 00000000.00000002.308356888.00000000058D0000.00000004.00020000.sdmp, doa8GHSloq.exe, 0000000E.00000002.331090884.0000000005D10000.00000004.00020000.sdmp, dhcpmon.exe, 00000010.00000002.336182412.00000000058A0000.00000004.00020000.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: doa8GHSloq.exe, 00000000.00000003.290626441.0000000004D0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: doa8GHSloq.exe, 00000000.00000003.290270148.0000000004D0E000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comS
Source: doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdh
Source: doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdw
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: doa8GHSloq.exe, 00000000.00000003.284469174.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000003.284115409.0000000004CE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: doa8GHSloq.exe, 00000000.00000003.292887688.0000000004D0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmFwaQ
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fi-fZ
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: doa8GHSloq.exe, 00000000.00000003.286357383.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tali
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: doa8GHSloq.exe, 00000000.00000003.295742422.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comauT
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com8
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comY
Source: doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt8
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comw
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.421d4fe.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3663ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.3213ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: doa8GHSloq.exe PID: 4820, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F1C10	0_2_049F1C10
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F9840	0_2_049F9840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F12A9	0_2_049F12A9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0B48	0_2_049F0B48
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0099	0_2_049F0099
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4499	0_2_049F4499
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F8490	0_2_049F8490
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4831	0_2_049F4831
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA85C	0_2_049FA85C
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4840	0_2_049F4840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4988	0_2_049F4988
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F7D88	0_2_049F7D88
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F7D87	0_2_049F7D87
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F89D8	0_2_049F89D8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F71D0	0_2_049F71D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F35D0	0_2_049F35D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F89CA	0_2_049F89CA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F71C1	0_2_049F71C1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F41F8	0_2_049F41F8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4978	0_2_049F4978
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0AB0	0_2_049F0AB0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA610	0_2_049FA610
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4208	0_2_049F4208
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA620	0_2_049FA620
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F77B8	0_2_049F77B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F37B0	0_2_049F37B0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4BD8	0_2_049F4BD8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4BC8	0_2_049F4BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F8BC8	0_2_049F8BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F37C0	0_2_049F37C0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F775A	0_2_049F775A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F6B70	0_2_049F6B70
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F6B60	0_2_049F6B60
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_052D04E9	0_2_052D04E9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05811C20	14_2_05811C20
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05819840	14_2_05819840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810B48	14_2_05810B48
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058112B8	14_2_058112B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05817D88	14_2_05817D88
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814988	14_2_05814988
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058171C1	14_2_058171C1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058189CB	14_2_058189CB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058171D0	14_2_058171D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058135D0	14_2_058135D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058189D8	14_2_058189D8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058135E0	14_2_058135E0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058141F8	14_2_058141F8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05817D53	14_2_05817D53
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814979	14_2_05814979
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810099	14_2_05810099
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581449B	14_2_0581449B
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058144A8	14_2_058144A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058100A8	14_2_058100A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05811C10	14_2_05811C10
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814831	14_2_05814831
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814840	14_2_05814840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A857	14_2_0581A857
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058177A8	14_2_058177A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058137B0	14_2_058137B0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058177B8	14_2_058177B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058137C0	14_2_058137C0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814BC8	14_2_05814BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814BD8	14_2_05814BD8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581773B	14_2_0581773B
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05816B60	14_2_05816B60
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05816B70	14_2_05816B70
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058112AB	14_2_058112AB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810AB0	14_2_05810AB0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814208	14_2_05814208
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A610	14_2_0581A610
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A620	14_2_0581A620
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05FE04EA	14_2_05FE04EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260B48	16_2_03260B48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032612B8	16_2_032612B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03261C20	16_2_03261C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03269840	16_2_03269840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326772A	16_2_0326772A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03266B70	16_2_03266B70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032677A8	16_2_032677A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032637B0	16_2_032637B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032677B8	16_2_032677B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032637C0	16_2_032637C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264BC8	16_2_03264BC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264BD8	16_2_03264BD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A620	16_2_0326A620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264208	16_2_03264208
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A610	16_2_0326A610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260A4C	16_2_03260A4C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032612AA	16_2_032612AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260AB0	16_2_03260AB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264979	16_2_03264979
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03267D50	16_2_03267D50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03267D88	16_2_03267D88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264988	16_2_03264988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032635E0	16_2_032635E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032641F8	16_2_032641F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032671C1	16_2_032671C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032689CA	16_2_032689CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032671D0	16_2_032671D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032635D0	16_2_032635D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032689D8	16_2_032689D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264831	16_2_03264831
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03261C10	16_2_03261C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264840	16_2_03264840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A857	16_2_0326A857
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032644A8	16_2_032644A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032600A8	16_2_032600A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326449A	16_2_0326449A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260099	16_2_03260099
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_06BF04E9	16_2_06BF04E9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE2FA8	18_2_04EE2FA8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE23A0	18_2_04EE23A0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE306F	18_2_04EE306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C82FA8	19_2_02C82FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C823A0	19_2_02C823A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C83850	19_2_02C83850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C8306F	19_2_02C8306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC1C10	20_2_04BC1C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC9840	20_2_04BC9840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC12AA	20_2_04BC12AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0B48	20_2_04BC0B48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0099	20_2_04BC0099
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC449A	20_2_04BC449A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC8490	20_2_04BC8490
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4831	20_2_04BC4831
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA857	20_2_04BCA857
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4840	20_2_04BC4840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4988	20_2_04BC4988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7D88	20_2_04BC7D88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC41F8	20_2_04BC41F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC89D8	20_2_04BC89D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC71D0	20_2_04BC71D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC35D0	20_2_04BC35D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC89CA	20_2_04BC89CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC71C1	20_2_04BC71C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7D78	20_2_04BC7D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4979	20_2_04BC4979
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0AB0	20_2_04BC0AB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA620	20_2_04BCA620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA610	20_2_04BCA610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4208	20_2_04BC4208
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC77B8	20_2_04BC77B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC37B0	20_2_04BC37B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC77A8	20_2_04BC77A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4BD8	20_2_04BC4BD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4BC8	20_2_04BC4BC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC37C0	20_2_04BC37C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC6B70	20_2_04BC6B70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC6B60	20_2_04BC6B60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7756	20_2_04BC7756
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_058804EA	20_2_058804EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B3850	21_2_057B3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B2FA8	21_2_057B2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B23A0	21_2_057B23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B306F	21_2_057B306F

Source: doa8GHSloq.exe, 00000000.00000002.308356888.00000000058D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000002.305345383.00000000009BA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000000.280232021.000000000023C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000002.308456105.00000000059A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000009.00000000.302653222.000000000036C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000000.303527814.000000000073C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000002.331090884.0000000005D10000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000000.314793914.000000000105C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000002.331122001.0000000005D30000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000000.324530237.00000000005CC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe

Source: doa8GHSloq.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\doa8GHSloq.exe 'C:\Users\user\Desktop\doa8GHSloq.exe'
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'
Source: unknown	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_04BB035A AdjustTokenPrivileges,		0_2_04BB035A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_04BB0323 AdjustTokenPrivileges,		0_2_04BB0323

Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_01
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b4ede67b-be7e-44fd-9e96-0c0f6d15978b}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_01

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_0017443B push ecx; iretd	0_2_0017443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_00172050 push 42EEF92Dh; iretd	0_2_0017206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_001763D6 push edx; iretd	0_2_001763EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2B81 push eax; ret	0_2_008F2B82
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F29B9 push edi; ret	0_2_008F29BA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2EB9 push edi; ret	0_2_008F2EBA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2CE0 push eax; ret	0_2_008F2CE2
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2A25 push edi; ret	0_2_008F2A26
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2D35 push eax; ret	0_2_008F2D36
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2E34 push eax; ret	0_2_008F2E42
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2E54 push eax; ret	0_2_008F2E5A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2A6C push ecx; ret	0_2_008F2A6E
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_00907200 push eax; ret	0_2_00907201
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F5215 push eax; ret	0_2_049F5216
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A443B push ecx; iretd	9_2_002A443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A2050 push 42EEF92Dh; iretd	9_2_002A206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A63D6 push edx; iretd	9_2_002A63EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F963D6 push edx; iretd	14_2_00F963EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F92050 push 42EEF92Dh; iretd	14_2_00F9206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F9443B push ecx; iretd	14_2_00F9443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05815215 push eax; ret	14_2_05815216
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D563D6 push edx; iretd	16_2_00D563EB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D52050 push 42EEF92Dh; iretd	16_2_00D5206D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D5443B push ecx; iretd	16_2_00D5443F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03265215 push eax; ret	16_2_03265216
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_06BF275B push es; ret	16_2_06BF275C
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00502050 push 42EEF92Dh; iretd	18_2_0050206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_0050443B push ecx; iretd	18_2_0050443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_005063D6 push edx; iretd	18_2_005063EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00DC2DD9 push edi; ret	18_2_00DC2DDA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00DC2DCD push edi; ret	18_2_00DC2DCE

Source: initial sample	Static PE information: section name: .text entropy: 7.83365535264
Source: initial sample	Static PE information: section name: .text entropy: 7.83365535264

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: Yara match	File source: 16.2.dhcpmon.exe.35f817c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.281814c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.29b817c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.363814c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 3860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6520, type: MEMORYSTR

Windows Analysis Report doa8GHSloq

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: doa8GHSloq.exe, 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, doa8GHSloq.exe, 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: doa8GHSloq.exe, 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, doa8GHSloq.exe, 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6220	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 5568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212	Thread sleep time: -43068s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6612	Thread sleep time: -41560s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Window / User API: foregroundWindowGot 669			Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Window / User API: foregroundWindowGot 663			Jump to behavior

Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: doa8GHSloq.exe, 0000000A.00000003.449409834.0000000000DE6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Memory written: C:\Users\user\Desktop\doa8GHSloq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Memory written: C:\Users\user\Desktop\doa8GHSloq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: doa8GHSloq.exe, 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
watermalon1.sytes.net	true	Avira URL Cloud: safe	unknown