Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NEW PRICE ENQUIRY FROM PHILLIPINES.exe

Overview

General Information

Sample Name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
Analysis ID:552509
MD5:ca0d3ca986e592ec436052f747f833c0
SHA1:8bdb8ebea5444c42c75c0b30ac8628d06c6cbce0
SHA256:5e4ccf3d7a2885ab1f1ce83b855ec6f8b771b1731fad4807f8d57b250a5505ad
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NEW PRICE ENQUIRY FROM PHILLIPINES.exe (PID: 976 cmdline: "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" MD5: CA0D3CA986E592EC436052F747F833C0)
    • NEW PRICE ENQUIRY FROM PHILLIPINES.exe (PID: 6296 cmdline: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe MD5: CA0D3CA986E592EC436052F747F833C0)
      • schtasks.exe (PID: 4544 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5096 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4800 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 5644 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
  • dhcpmon.exe (PID: 3832 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6728 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6780 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6992 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 119 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      8.2.dhcpmon.exe.2e38774.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        11.2.dhcpmon.exe.399ec60.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        11.2.dhcpmon.exe.399ec60.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        Click to see the 238 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ParentImage: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ParentProcessId: 6296, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, ProcessId: 4544

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeVirustotal: Detection: 33%Perma Link
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeMetadefender: Detection: 28%Perma Link
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeReversingLabs: Detection: 48%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 28%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 48%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 18.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: PermissionSetAttribu.pdb source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmp

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: kashbilly.ddns.net
        Source: global trafficTCP traffic: 192.168.2.6:49757 -> 197.211.59.104:6060
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://ati.amd.com/developer/compressonator.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342Whttp://iga
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://igaeditor.sourceforge.net/wiki/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://micolous.id.au/projects/bf21
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/.
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://registry.gimp.org/plugin?id=4816
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://www.gimp.org/windows/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://www.radgametools.com/bnkdown.htm
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: https://sourceforge.net/svn/?group_id=181663
        Source: unknownDNS traffic detected: queries for: kashbilly.ddns.net
        Source: dhcpmon.exe, 00000008.00000002.414092694.0000000001098000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310C3F40_2_0310C3F4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310E9F80_2_0310E9F8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310E9E80_2_0310E9E8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076EBFE80_2_076EBFE8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E35680_2_076E3568
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E35C00_2_076E35C0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E35B00_2_076E35B0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161E4712_2_0161E471
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161E4802_2_0161E480
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161BBD42_2_0161BBD4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_057965502_2_05796550
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05793E302_2_05793E30
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579C6F02_2_0579C6F0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D3082_2_0579D308
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05794A502_2_05794A50
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D6402_2_0579D640
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05794B082_2_05794B08
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D3C62_2_0579D3C6
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_06BE00402_2_06BE0040
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492C3F45_2_0492C3F4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492E9F25_2_0492E9F2
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492E9F85_2_0492E9F8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066BBFE85_2_066BBFE8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B35695_2_066B3569
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B35C05_2_066B35C0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B35B05_2_066B35B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133C3F48_2_0133C3F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133E9F48_2_0133E9F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133E9F88_2_0133E9F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E7F988_2_053E7F98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E7F898_2_053E7F89
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E69888_2_053E6988
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0753BFE88_2_0753BFE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075335698_2_07533569
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075335C08_2_075335C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075335B08_2_075335B0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123E4719_2_0123E471
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123E4809_2_0123E480
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123BBD49_2_0123BBD4
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374253790.0000000000E24000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368688896.0000000000DF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630982055.0000000006860000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.404702459.00000000001D4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.420068237.0000000000BF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.420894807.000000000125A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeVirustotal: Detection: 33%
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeMetadefender: Detection: 28%
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeReversingLabs: Detection: 48%
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile read: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe"
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" 0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmpJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmpJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PRICE ENQUIRY FROM PHILLIPINES.exe.logJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1E56.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/8@7/1
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [content] ([active], [activate], [expire], [dayparts], [contentType], [descriptor], [size], [viewcount], [viewlimit], [displayafter], [props], [data]) VALUES (@active, @activate, @expire, @dayparts, @contentType, @descriptor, @size, @viewcount, @viewlimit, @displayafter, @props, @data); SELECT last_insert_rowid() AS contentId;
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{51e297f7-7758-4d32-86af-0aafa20a3f56}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: dhcpmon.exe.2.dr, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: PermissionSetAttribu.pdb source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.2.dr, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.11.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: dhcpmon.exe.2.dr, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.11.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E61E9 push ebx; iretd 0_2_076E61EA
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B8E8B push es; ret 5_2_066B8E8C
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B8B7F push es; iretd 5_2_066B8B84
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B61E9 push ebx; iretd 5_2_066B61EA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075361E9 push ebx; iretd 8_2_075361EA
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78570516551
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78570516551
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile opened: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.2e38774.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.315dc78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3188810.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.2e0dbdc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.241dc78.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2448810.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.2848774.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.281dbdc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 772Thread sleep time: -39926s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6224Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 5888Thread sleep time: -10145709240540247s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6420Thread sleep time: -38463s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 5104Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4400Thread sleep time: -35164s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5964Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6636Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5024Thread sleep time: -33769s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5596Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6704Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: threadDelayed 6516Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: threadDelayed 2954Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: foregroundWindowGot 874Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 39926Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 38463Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 35164Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 33769Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.627007908.00000000012E5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmpJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmpJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628991392.00000000031C7000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629899402.0000000003722000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629391684.00000000032A7000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629737178.0000000003592000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629584039.00000000033FD000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630799975.00000000065EB000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629242696.0000000003259000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.631357745.00000000070ED000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.631186845.0000000006BBC000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630964365.000000000685D000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629433411.00000000032B4000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: &Program Manager
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552509 Sample: NEW PRICE ENQUIRY FROM PHIL... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 49 kashbilly.ddns.net 2->49 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 11 other signatures 2->59 9 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 3 2->9         started        12 dhcpmon.exe 2 2->12         started        14 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 2 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 file5 47 NEW PRICE ENQUIRY ...PHILLIPINES.exe.log, ASCII 9->47 dropped 18 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 1 12 9->18         started        23 dhcpmon.exe 12->23         started        25 dhcpmon.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 2 14->29         started        31 dhcpmon.exe 16->31         started        process6 dnsIp7 51 kashbilly.ddns.net 197.211.59.104, 6060 globacom-asNG Nigeria 18->51 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, data 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp1E56.tmp, XML 18->45 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        file8 signatures9 process10 process11 37 conhost.exe 33->37         started        39 conhost.exe 35->39         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe34%VirustotalBrowse
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe29%MetadefenderBrowse
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe29%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack100%AviraTR/NanoCore.fadteDownload File
        18.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://micolous.id.au/projects/bf210%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg2790%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.totalbf2142.com/forums/showthread.php?t=53420%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://micolous.id.au/projects/bf2142/.0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://micolous.id.au/0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://micolous.id.au/projects/bf2142/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        kashbilly.ddns.net
        		197.211.59.104
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                		high
                http://igaeditor.sourceforge.net/wiki/NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                  		high
                  http://ati.amd.com/developer/compressonator.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                    		high
                    http://www.fontbureau.com/designers/?NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                      		high
                      https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://igaeditor.sourceforge.net/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers?NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                            		high
                            http://igaeditor.sourceforge.net/latest.txtNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                              		high
                              http://www.radgametools.com/bnkdown.htmNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                		high
                                http://developer.nvidia.com/object/dds_thumbnail_viewer.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                  		high
                                  http://micolous.id.au/projects/bf21NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342Whttp://igaNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.gimp.org/windows/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.carterandcone.comlNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.totalbf2142.com/forums/showthread.php?t=5342NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://registry.gimp.org/plugin?id=4816NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                              		high
                                              https://sourceforge.net/svn/?group_id=181663NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://sourceforge.net/project/showfiles.php?group_id=181663NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                  		high
                                                  http://www.fontbureau.com/designers8NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://micolous.id.au/projects/bf2142/.NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fonts.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://developer.nvidia.com/object/photoshop_dds_plugins.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                        		high
                                                        http://www.zhongyicts.com.cnNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/ddsNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                                          		high
                                                          http://micolous.id.au/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sakkal.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://micolous.id.au/projects/bf2142/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          197.211.59.104
                                                          		kashbilly.ddns.netNigeria
                                                          		37148globacom-asNGfalse

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:552509
                                                          Start date:13.01.2022
                                                          Start time:13:16:18
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 14m 2s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:30
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@22/8@7/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 1% (good quality ratio 0.8%)
                                                          • Quality average: 60.1%
                                                          • Quality standard deviation: 34.3%
                                                          HCA Information:
                                                          • Successful, ratio: 96%
                                                          • Number of executed functions: 196
                                                          • Number of non-executed functions: 7
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          13:17:30API Interceptor907x Sleep call for process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe modified
                                                          13:17:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          13:17:39Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" s>$(Arg0)
                                                          13:17:42Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                          13:17:45API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):784384
                                                          Entropy (8bit):7.771015792978407
                                                          Encrypted:false
                                                          SSDEEP:12288:jOi+lUcXEM6qtPn8tbobGFuWWBJxMDL08n1bimg9jnwHF6KmB5I:6i8XE+P8tb5uWWBM30UbejnsGBW
                                                          MD5:CA0D3CA986E592EC436052F747F833C0
                                                          SHA1:8BDB8EBEA5444C42C75C0B30AC8628D06C6CBCE0
                                                          SHA-256:5E4CCF3D7A2885AB1F1CE83B855EC6F8B771B1731FAD4807F8D57B250A5505AD
                                                          SHA-512:87B8DDE119068E43BEF447A59523565291392F949AFFA3F5F17713A9FCFD0D7C6F466D0E1C0D0F01F8B779A0753279A291C3CB4CA6E604EFB54E390896FD26B3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 29%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 49%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.a................................. ... ....@.. ....................................@.....................................K....@..L....................`......Q................................................ ............... ..H............text........ ...................... ..`.sdata....... ......................@....rsrc...L....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PRICE ENQUIRY FROM PHILLIPINES.exe.log
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.345651901398759
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                          MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                          SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                          SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                          SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.345651901398759
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                          MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                          SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                          SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                          SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1327
                                                          Entropy (8bit):5.13500670090371
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VC0xtn:cbk4oL600QydbQxIYODOLedq3Z0j
                                                          MD5:552FA7AF5F278BF5AC6355B61EFF095D
                                                          SHA1:DD4F276FA31AEB75DE477977A807CEE673B5560A
                                                          SHA-256:94E06F5F5470FA4BDC3EB130222C8352A763C2CEC568029C89808427C979A88A
                                                          SHA-512:5E3ABBDDBCA04376DDF72301BDE566A09543CE9D0DF4A2B5EE69AA755FFF151662E2013DAFEEDDEC722D23E1E23F90DAA36B0CDF8D0D7222296A2D2027FBD9D8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                          C:\Users\user\AppData\Local\Temp\tmp3019.tmp
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.109425792877704
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:n78:g
                                                          MD5:4FAF345031681B7C40273BC270C99E93
                                                          SHA1:6660712EC422C5B5B9D93EB34CD741DA8316E92B
                                                          SHA-256:4BC0DAC6D0EFDF3534421E795FABFC7943B0ACCC6ECCF113DEFBBD5EA9D7FF54
                                                          SHA-512:6B9B03BE05E6804C27D953E6B57317090F4874E7E545442BB04608BEBB6970EBB22079809FCDF9CF15FB4825373CA2398E6D7757CF5349CD836A47AA65BC05D2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: M.=....H
                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):4.683114454101657
                                                          Encrypted:false
                                                          SSDEEP:3:oNN2+WrHk2yJn:oNN2RY2Y
                                                          MD5:E26B66631E3B80974878501C3F4E3923
                                                          SHA1:8F9E67EF46D390D95BC032028B6D3C3C66F02504
                                                          SHA-256:09DC45D6D6EEE1813B8F6FD9F73632C6FD99E6E1C5AD63FCF024FC48BEBE2342
                                                          SHA-512:BCC92B9669351D76C9AD44393BD52269DF2C033B80D5FA2B6902D72EAD8FEFCF931B8D3B64FB5B18ABDEB9795FD7565DE68E2596E513BDA1F2C79C4A8BAD3612
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.771015792978407
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                          File name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File size:784384
                                                          MD5:ca0d3ca986e592ec436052f747f833c0
                                                          SHA1:8bdb8ebea5444c42c75c0b30ac8628d06c6cbce0
                                                          SHA256:5e4ccf3d7a2885ab1f1ce83b855ec6f8b771b1731fad4807f8d57b250a5505ad
                                                          SHA512:87b8dde119068e43bef447a59523565291392f949affa3f5f17713a9fcfd0d7c6f466d0e1c0d0f01f8b779a0753279a291c3cb4ca6e604efb54e390896fd26b3
                                                          SSDEEP:12288:jOi+lUcXEM6qtPn8tbobGFuWWBJxMDL08n1bimg9jnwHF6KmB5I:6i8XE+P8tb5uWWBM30UbejnsGBW
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.a................................. ... ....@.. ....................................@................................

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4c06ee
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x61DE33C2 [Wed Jan 12 01:49:54 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc06a00x4b.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x54c.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xc06510x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xbe6f40xbe800False0.887363383776data7.78570516551IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .sdata0xc20000x2040x400False0.458984375data4.099059951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xc40000x54c0x600False0.341145833333data2.76865116557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xc60000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0xc40e80xb0GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0xc41980x14data
                                                          RT_VERSION0xc41ac0x3a0data

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright micolous 2006-2007
                                                          Assembly Version0.1.6.0
                                                          InternalNamePermissionSetAttribu.exe
                                                          FileVersion0.1.6.0
                                                          CompanyNamemicolous
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameIGA Ad Cache Editor
                                                          ProductVersion0.1.6.0
                                                          FileDescriptionIGA Ad Cache Editor
                                                          OriginalFilenamePermissionSetAttribu.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          01/13/22-13:17:42.583459UDP254DNS SPOOF query response with TTL of 1 min. and no authority53642678.8.8.8192.168.2.6
                                                          01/13/22-13:17:59.424978UDP254DNS SPOOF query response with TTL of 1 min. and no authority53603428.8.8.8192.168.2.6
                                                          01/13/22-13:18:51.386646UDP254DNS SPOOF query response with TTL of 1 min. and no authority53549828.8.8.8192.168.2.6
                                                          01/13/22-13:19:10.154501UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500108.8.8.8192.168.2.6

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2022 13:17:42.602291107 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:45.600858927 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:51.617057085 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:59.467313051 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:02.477304935 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:08.477777958 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:16.771198988 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:19.931900024 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:25.932369947 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:33.630498886 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:36.730123997 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:42.730626106 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:51.395036936 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:54.403465986 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:00.422612906 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:10.156089067 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:13.152012110 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:19.168152094 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:28.224725008 CET498496060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:31.231589079 CET498496060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:37.233083963 CET498496060192.168.2.6197.211.59.104

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2022 13:17:42.564188957 CET6426753192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:17:42.583458900 CET53642678.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:17:59.405607939 CET6034253192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:17:59.424978018 CET53603428.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:16.749871969 CET5838453192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:16.769443035 CET53583848.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:33.609488964 CET5033953192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:33.628575087 CET53503398.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:51.365160942 CET5498253192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:51.386646032 CET53549828.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:19:10.133548021 CET5001053192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:19:10.154500961 CET53500108.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:19:28.203470945 CET6211653192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:19:28.220710039 CET53621168.8.8.8192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 13, 2022 13:17:42.564188957 CET192.168.2.68.8.8.80x2e71Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:17:59.405607939 CET192.168.2.68.8.8.80x6c08Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:16.749871969 CET192.168.2.68.8.8.80xe1a1Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:33.609488964 CET192.168.2.68.8.8.80xc4c4Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:51.365160942 CET192.168.2.68.8.8.80x37c9Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:10.133548021 CET192.168.2.68.8.8.80x6a08Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:28.203470945 CET192.168.2.68.8.8.80x1b92Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 13, 2022 13:17:42.583458900 CET8.8.8.8192.168.2.60x2e71No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:17:59.424978018 CET8.8.8.8192.168.2.60x6c08No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:16.769443035 CET8.8.8.8192.168.2.60xe1a1No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:33.628575087 CET8.8.8.8192.168.2.60xc4c4No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:51.386646032 CET8.8.8.8192.168.2.60x37c9No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:10.154500961 CET8.8.8.8192.168.2.60x6a08No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:28.220710039 CET8.8.8.8192.168.2.60x1b92No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)

                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976 Parent PID: 4756

                                                          General

                                                          Start time:13:17:22
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe"
                                                          Imagebase:0xd60000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296 Parent PID: 976

                                                          General

                                                          Start time:13:17:30
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Imagebase:0xd30000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: schtasks.exe PID: 4544 Parent PID: 6296

                                                          General

                                                          Start time:13:17:35
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
                                                          Imagebase:0xa40000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 4712 Parent PID: 4544

                                                          General

                                                          Start time:13:17:37
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384 Parent PID: 936

                                                          General

                                                          Start time:13:17:39
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" 0
                                                          Imagebase:0x110000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: schtasks.exe PID: 5096 Parent PID: 6296

                                                          General

                                                          Start time:13:17:40
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
                                                          Imagebase:0xa40000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 5396 Parent PID: 5096

                                                          General

                                                          Start time:13:17:41
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 4800 Parent PID: 936

                                                          General

                                                          Start time:13:17:42
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                          Imagebase:0x940000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Antivirus matches:
                                                          • Detection: 29%, Metadefender, Browse
                                                          • Detection: 49%, ReversingLabs
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028 Parent PID: 6384

                                                          General

                                                          Start time:13:17:43
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Imagebase:0xb30000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 3832 Parent PID: 3440

                                                          General

                                                          Start time:13:17:46
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                          Imagebase:0x280000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 5644 Parent PID: 4800

                                                          General

                                                          Start time:13:17:46
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x760000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 6728 Parent PID: 3832

                                                          General

                                                          Start time:13:17:51
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x3c0000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 6780 Parent PID: 3832

                                                          General

                                                          Start time:13:17:53
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x170000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: dhcpmon.exe PID: 6992 Parent PID: 3832

                                                          General

                                                          Start time:13:17:56
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0xa40000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976 Parent PID: 4756 NEW PRICE ENQUIRY FROM PHILLIPINES.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:6.8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:103
                                                            Total number of Limit Nodes:7

                                                            Graph

                                                            execution_graph 19817 310bb10 19818 310bb76 19817->19818 19822 310bcd0 19818->19822 19825 310bcc0 19818->19825 19819 310bc25 19829 310a584 19822->19829 19826 310bcd0 19825->19826 19827 310a584 DuplicateHandle 19826->19827 19828 310bcfe 19827->19828 19828->19819 19830 310bd38 DuplicateHandle 19829->19830 19831 310bcfe 19830->19831 19831->19819 19832 3104298 19835 31042a7 19832->19835 19833 310432d 19835->19833 19837 3104518 19835->19837 19842 3103a50 19835->19842 19838 310453d 19837->19838 19846 3104618 19838->19846 19850 3104608 19838->19850 19844 3103a5b 19842->19844 19843 3106dcd 19843->19835 19844->19843 19858 3105944 19844->19858 19848 310463f 19846->19848 19847 310471c 19848->19847 19854 310405c 19848->19854 19852 3104618 19850->19852 19851 310471c 19851->19851 19852->19851 19853 310405c CreateActCtxA 19852->19853 19853->19851 19855 31056a8 CreateActCtxA 19854->19855 19857 310576b 19855->19857 19859 310594f 19858->19859 19862 3105964 19859->19862 19861 3106ed5 19861->19844 19863 310596f 19862->19863 19865 3106fba 19863->19865 19866 3105994 19863->19866 19865->19861 19867 310599f 19866->19867 19870 31059c4 19867->19870 19869 31070aa 19869->19865 19871 31059cf 19870->19871 19873 31077be 19871->19873 19878 3109730 19871->19878 19881 3109721 19871->19881 19872 31077fc 19872->19869 19873->19872 19884 310b838 19873->19884 19890 310b848 19873->19890 19896 3109828 19878->19896 19879 310973f 19879->19873 19882 310973f 19881->19882 19883 3109828 2 API calls 19881->19883 19882->19873 19883->19882 19885 310b848 19884->19885 19886 310b88d 19885->19886 19916 310b9f8 19885->19916 19920 310ba50 19885->19920 19925 310b9ea 19885->19925 19886->19872 19891 310b869 19890->19891 19892 310b88d 19891->19892 19893 310ba50 2 API calls 19891->19893 19894 310b9f8 2 API calls 19891->19894 19895 310b9ea 2 API calls 19891->19895 19892->19872 19893->19892 19894->19892 19895->19892 19897 310983b 19896->19897 19898 3109853 19897->19898 19904 3109ab0 19897->19904 19908 3109aa0 19897->19908 19898->19879 19899 3109a50 GetModuleHandleW 19901 3109a7d 19899->19901 19900 310984b 19900->19898 19900->19899 19901->19879 19905 3109ac4 19904->19905 19907 3109ae9 19905->19907 19912 3108b80 19905->19912 19907->19900 19909 3109ab0 19908->19909 19910 3109ae9 19909->19910 19911 3108b80 LoadLibraryExW 19909->19911 19910->19900 19911->19910 19913 3109c90 LoadLibraryExW 19912->19913 19915 3109d09 19913->19915 19915->19907 19917 310ba05 19916->19917 19918 310ba3f 19917->19918 19929 310a4fc 19917->19929 19918->19886 19921 310ba6e 19920->19921 19923 310ba34 19920->19923 19921->19886 19922 310ba3f 19922->19886 19923->19922 19924 310a4fc 2 API calls 19923->19924 19924->19922 19926 310b9f8 19925->19926 19927 310ba3f 19926->19927 19928 310a4fc 2 API calls 19926->19928 19927->19886 19928->19927 19930 310a507 19929->19930 19932 310c738 19930->19932 19933 310c124 19930->19933 19932->19932 19934 310c12f 19933->19934 19935 31059c4 2 API calls 19934->19935 19936 310c7a7 19935->19936 19939 310e55c 19936->19939 19940 310c7e0 19939->19940 19941 310e575 19939->19941 19940->19932 19943 310e9b0 LoadLibraryExW GetModuleHandleW 19941->19943 19944 310e9aa LoadLibraryExW GetModuleHandleW 19941->19944 19942 310e5ad 19943->19942 19944->19942 19945 76ecf90 19946 76ed11b 19945->19946 19948 76ecfb6 19945->19948 19948->19946 19949 76e2ad8 19948->19949 19950 76ed210 PostMessageW 19949->19950 19951 76ed27c 19950->19951 19951->19948

                                                            Executed Functions

                                                            Function 03109828, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 03109A6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 403527e5168d838370bea9f61658464dd953a7f61f9a3f906bc833bbfa439f14
                                                            • Instruction ID: 77e70ca7577e4531f702e63e2d84000c82773dd03cc94e5e77f6238991d0ec27
                                                            • Opcode Fuzzy Hash: 403527e5168d838370bea9f61658464dd953a7f61f9a3f906bc833bbfa439f14
                                                            • Instruction Fuzzy Hash: 8D712370A00B098FD724DF2AD09175AB7F5FF88214F048A2ED49ADBA90DB74E845CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310405C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 58 310405c-3105769 CreateActCtxA 61 3105772-31057cc 58->61 62 310576b-3105771 58->62 69 31057db-31057df 61->69 70 31057ce-31057d1 61->70 62->61 71 31057f0 69->71 72 31057e1-31057ed 69->72 70->69 74 31057f1 71->74 72->71 74->74
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 03105759
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 9da709704b22de821a2c85ca77b1f0e60958f453cee4993e685680061839e083
                                                            • Instruction ID: cd72320bb438103933bac48e694dd3f3f6953de033354a6d63fc5619ac260776
                                                            • Opcode Fuzzy Hash: 9da709704b22de821a2c85ca77b1f0e60958f453cee4993e685680061839e083
                                                            • Instruction Fuzzy Hash: B241E271C0071CCBDB24DFA9C884B9EBBB6BF89304F648069D419AB291DBB56945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310569D, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 75 310569d-3105769 CreateActCtxA 77 3105772-31057cc 75->77 78 310576b-3105771 75->78 85 31057db-31057df 77->85 86 31057ce-31057d1 77->86 78->77 87 31057f0 85->87 88 31057e1-31057ed 85->88 86->85 90 31057f1 87->90 88->87 90->90
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 03105759
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: a31faab15c89a6122682c94ee161ac83d32232ef2b3102d52e6d2aabfdf266ab
                                                            • Instruction ID: aea0688b9a56eb34008fa4a184c4460c2560e71546732267f2f3684f9eb6ed8e
                                                            • Opcode Fuzzy Hash: a31faab15c89a6122682c94ee161ac83d32232ef2b3102d52e6d2aabfdf266ab
                                                            • Instruction Fuzzy Hash: BF41F371C00718CFDB14DFA9C984B8EBBB2BF49308F24806AD419AB291DBB56945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310A584, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 91 310a584-310bdcc DuplicateHandle 93 310bdd5-310bdf2 91->93 94 310bdce-310bdd4 91->94 94->93
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0310BCFE,?,?,?,?,?), ref: 0310BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: ae321b0a95a4ec508955b79752de70aefff83cee5b6319a748d26b16862c1131
                                                            • Instruction ID: 2f7c16b8fd4470f7fc8acb7dae63af77ea6876df9f27150bad80163a0418e7bd
                                                            • Opcode Fuzzy Hash: ae321b0a95a4ec508955b79752de70aefff83cee5b6319a748d26b16862c1131
                                                            • Instruction Fuzzy Hash: 8921E3B59002589FDB10CF99D984ADEFBF4EB48324F14842AE925B3350D378A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310BD30, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 97 310bd30-310bd33 98 310bd38-310bdcc DuplicateHandle 97->98 99 310bdd5-310bdf2 98->99 100 310bdce-310bdd4 98->100 100->99
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0310BCFE,?,?,?,?,?), ref: 0310BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 43cc37e10ee0ee6f9eaf3764721c5edb92a41241232873a62028274832f1f1e7
                                                            • Instruction ID: 9b563a8042e7a77ccd512bc3750256ccba33adb2f07213ff072be7797a81aa5f
                                                            • Opcode Fuzzy Hash: 43cc37e10ee0ee6f9eaf3764721c5edb92a41241232873a62028274832f1f1e7
                                                            • Instruction Fuzzy Hash: 8C21E6B59002199FDB10CF99D985ADEFBF4EF48324F14842AE815B3350D378A955CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03108B80, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 103 3108b80-3109cd0 105 3109cd2-3109cd5 103->105 106 3109cd8-3109d07 LoadLibraryExW 103->106 105->106 107 3109d10-3109d2d 106->107 108 3109d09-3109d0f 106->108 108->107
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03109AE9,00000800,00000000,00000000), ref: 03109CFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 9ce3d90b3f876f89111b663a5939ccf43a69747d0c6d24f9a0e6a80aaa5c1672
                                                            • Instruction ID: 62f796e830a0bae1b22bb95a23777322412d282fa526647bf5003ff9377066c6
                                                            • Opcode Fuzzy Hash: 9ce3d90b3f876f89111b663a5939ccf43a69747d0c6d24f9a0e6a80aaa5c1672
                                                            • Instruction Fuzzy Hash: 0711F4B6D003099BCB10CF9AC544A9EFBF4EB89224F14842AD429B7250C3B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03109A08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 111 3109a08-3109a48 112 3109a50-3109a7b GetModuleHandleW 111->112 113 3109a4a-3109a4d 111->113 114 3109a84-3109a98 112->114 115 3109a7d-3109a83 112->115 113->112 115->114
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 03109A6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 030e73aab0a98540aab0d741175024b919023adc908da080ae9b28f5f409ea94
                                                            • Instruction ID: ac66b341a47110a996e22e94d2851400512d72e7a046d3dcbd18070f2f288e6e
                                                            • Opcode Fuzzy Hash: 030e73aab0a98540aab0d741175024b919023adc908da080ae9b28f5f409ea94
                                                            • Instruction Fuzzy Hash: 8A11DFB6D00659CFCB10CF9AC844BDEFBF4EB88224F14852AD429B7650C3B9A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 076E2AD8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 117 76e2ad8-76ed27a PostMessageW 119 76ed27c-76ed282 117->119 120 76ed283-76ed297 117->120 119->120
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 076ED26D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378924779.00000000076E0000.00000040.00000001.sdmp, Offset: 076E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_76e0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: f50b3086656a7f69992c6b8060083fe79dd88313bd78ac9b8964d9b9f4eb395a
                                                            • Instruction ID: bb6cb20f46847bd05743117cfc91c7fc872365c605471d0fcd949ae34f3f91db
                                                            • Opcode Fuzzy Hash: f50b3086656a7f69992c6b8060083fe79dd88313bd78ac9b8964d9b9f4eb395a
                                                            • Instruction Fuzzy Hash: 371106B59003499FCB10DF99C489BDEBBF8EB48324F10841AE525B7300C375A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0186D4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374942750.000000000186D000.00000040.00000001.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_186d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5c8deeb7dfc63ee52c842a449b39a53445f44a4016aafc725967d641f2b50f1
                                                            • Instruction ID: 385cbcf7d9f997a74d39d8da89754aeb2b7e3e275a9051048f0331b39bf937b4
                                                            • Opcode Fuzzy Hash: a5c8deeb7dfc63ee52c842a449b39a53445f44a4016aafc725967d641f2b50f1
                                                            • Instruction Fuzzy Hash: 63213671600344DFCB01DF54C8C4B26BF69FB8832CF248669E8458B646C336EA55CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0187D1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374985217.000000000187D000.00000040.00000001.sdmp, Offset: 0187D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_187d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02a333a762ae6d9b7ce6065bc52c02ff4092f3d25d1ceec04cfb92a4f1a3ee6e
                                                            • Instruction ID: 032e3a721611c953ab267d53e398f10f24573f0206e1077e6095b52ae64b5c16
                                                            • Opcode Fuzzy Hash: 02a333a762ae6d9b7ce6065bc52c02ff4092f3d25d1ceec04cfb92a4f1a3ee6e
                                                            • Instruction Fuzzy Hash: 6321F571614304EFDB05DF94D9C0B16BB65FF88328F24C66DD8498B242C73AE946CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0187D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374985217.000000000187D000.00000040.00000001.sdmp, Offset: 0187D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_187d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ecfbdd806dee55d400e19ceaa8d00dceb3c4656a264eb00447277363b29c0a9
                                                            • Instruction ID: 5a49b7dff2183a970261e6c9043a48c5b88580c848c1243e854acaea321f2e62
                                                            • Opcode Fuzzy Hash: 3ecfbdd806dee55d400e19ceaa8d00dceb3c4656a264eb00447277363b29c0a9
                                                            • Instruction Fuzzy Hash: 19210071604304DFCB16DF54D9C0B16BB61FF88368F24C66DD8098B286C33AD946CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0186D4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374942750.000000000186D000.00000040.00000001.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_186d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction ID: 49e28574a65a33c07ce87939f07b8bbdb362fc22a724e1a7f9c4ed11ff23582d
                                                            • Opcode Fuzzy Hash: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction Fuzzy Hash: 2311D376504280CFCF12CF54D9C4B16BF71FB84328F28C6AAE8454B616C336D556CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0187D017, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374985217.000000000187D000.00000040.00000001.sdmp, Offset: 0187D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_187d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction ID: 6126b9ace0a729a7a318453885d6e155c8388c43966e863dd23dde780ac751bb
                                                            • Opcode Fuzzy Hash: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction Fuzzy Hash: F911BB75504280CFCB12CF14D9C4B15BBA1FB84328F28C6AAD8098B656C33AD55ACFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0187D1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374985217.000000000187D000.00000040.00000001.sdmp, Offset: 0187D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_187d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction ID: b8f6df19627f161bf09c5cb6d35ecc231e3b6b1f20e2f2c31c8fa3391eb7ce4d
                                                            • Opcode Fuzzy Hash: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction Fuzzy Hash: DB11BB75504280DFCB02CF54C5C0B15BFA1FF84324F28C6AED8498B656C33AE44ACB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0186D731, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374942750.000000000186D000.00000040.00000001.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_186d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8328cc89827b6f5a0bd137e58fe61157e7e01e6b74123ab2fd25127145828e88
                                                            • Instruction ID: f483b43a2ce9b8388caefdc47bf7984ee510132ce04561dd3bc17b0a9cb0eb6d
                                                            • Opcode Fuzzy Hash: 8328cc89827b6f5a0bd137e58fe61157e7e01e6b74123ab2fd25127145828e88
                                                            • Instruction Fuzzy Hash: C301D8315043849AE7104A698C84766BBDCDF45368F18C629ED449A282D77C9940C6B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0186D730, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374942750.000000000186D000.00000040.00000001.sdmp, Offset: 0186D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_186d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2926197c4d5e9a30baad0a26e69350efd781578a4762c200875244f1b2892fb6
                                                            • Instruction ID: 9eb483e6c9d47f91cd75c6469bd1a702950722487236cf973fa4ebae25ffa7a4
                                                            • Opcode Fuzzy Hash: 2926197c4d5e9a30baad0a26e69350efd781578a4762c200875244f1b2892fb6
                                                            • Instruction Fuzzy Hash: 7EF062765043849BEB118E19CCC4B62FF9CEB81778F18C56AED485F286C3789944CAB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0310E9F8, Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1970c88b85de23fb1db2477e1ec1d585eb7c6251ecaee014da11b734e68f2c61
                                                            • Instruction ID: 2d55380d16fd0c2fd1f94d4fc620fbf2fd6807321d52d93ec3f85e9a6b4ccf96
                                                            • Opcode Fuzzy Hash: 1970c88b85de23fb1db2477e1ec1d585eb7c6251ecaee014da11b734e68f2c61
                                                            • Instruction Fuzzy Hash: 0712DBF1421B468BD310CF65E58A1893FE1B741329F91420AF2A19BED0EFB4116EEF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310C3F4, Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c457a473700f91c183be27ab8154b6aeb40c0e6c4ceb743796b9097ca46ae1f
                                                            • Instruction ID: a454ca8cc630f054e7291dd39937b0300852b547c6f901638ec0bd72f5b1f2d9
                                                            • Opcode Fuzzy Hash: 4c457a473700f91c183be27ab8154b6aeb40c0e6c4ceb743796b9097ca46ae1f
                                                            • Instruction Fuzzy Hash: DBA19E36E00619CFCF05DFB5C98459EBBB2FF88300B15856AE806AF261DB71A905CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0310E9E8, Relevance: .2, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.375295598.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3100000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e0a7f5080ab29d66ef654399090f5fa620268dbf8a0530bb5264f55edad4d3a
                                                            • Instruction ID: 69b109b040f9e3d4a4b835f0afb265775908121baff1320c67c1e50323c3bcfe
                                                            • Opcode Fuzzy Hash: 4e0a7f5080ab29d66ef654399090f5fa620268dbf8a0530bb5264f55edad4d3a
                                                            • Instruction Fuzzy Hash: 91C130B14217068BD310DF65E98A2897FB1FB45329F51420AF1A1ABAD0FFB4106EEF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 076E3568, Relevance: .2, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378924779.00000000076E0000.00000040.00000001.sdmp, Offset: 076E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_76e0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d7372d075234f29b9f4b6a492a884b81f099bca5e2d8ebcd1979199f6290c7bf
                                                            • Instruction ID: de672cf100d23fe7f741d847a801686a1bec738e4f237c9c83f20459ab771346
                                                            • Opcode Fuzzy Hash: d7372d075234f29b9f4b6a492a884b81f099bca5e2d8ebcd1979199f6290c7bf
                                                            • Instruction Fuzzy Hash: 465171B4E0024D8FD748DFBAE84169E7BF6FB86304F04C529D40A9B394EF385A558B52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 076E35B0, Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378924779.00000000076E0000.00000040.00000001.sdmp, Offset: 076E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_76e0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c115374d3f9c02f54c64dc598e413ef1962e08eabf3119c715ee04a47094a400
                                                            • Instruction ID: 475573b921dacff5fb355f6a8753116c8e5ce863de0e3de168d3081f2d2f242a
                                                            • Opcode Fuzzy Hash: c115374d3f9c02f54c64dc598e413ef1962e08eabf3119c715ee04a47094a400
                                                            • Instruction Fuzzy Hash: AF517174E0020D8FD748EFBAE85169E7BF6FB85304F04C529D40A9B3A4EB385A558B42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 076E35C0, Relevance: .2, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378924779.00000000076E0000.00000040.00000001.sdmp, Offset: 076E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_76e0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b978d1cce03a0c88f7278664b888221f69c55b0ad35c590e45cec24411e59a3
                                                            • Instruction ID: d6553529b037534f9bd924d61924752911e6806bffc33c1fbd833af7bc8036c5
                                                            • Opcode Fuzzy Hash: 6b978d1cce03a0c88f7278664b888221f69c55b0ad35c590e45cec24411e59a3
                                                            • Instruction Fuzzy Hash: 99513E74E0020D8FD748EFBAE85169E7BF6FB85304F04C529D40A9B3A4EB385A55CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 076EBFE8, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378924779.00000000076E0000.00000040.00000001.sdmp, Offset: 076E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_76e0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abf375c714c5df271d1efcc901833dd2d82c8858cee8a535605681f8f3dbdc86
                                                            • Instruction ID: da3f34970cdffc22d905515bb9d7907a9564e35170fe887c08bb2894249f3da6
                                                            • Opcode Fuzzy Hash: abf375c714c5df271d1efcc901833dd2d82c8858cee8a535605681f8f3dbdc86
                                                            • Instruction Fuzzy Hash: F021BEB1D056198BEB28CF6B8D0479EF6F7AFC9704F14C0BAC819A7255EB3049858E60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296 Parent PID: 976 NEW PRICE ENQUIRY FROM PHILLIPINES.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:16.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:199
                                                            Total number of Limit Nodes:10

                                                            Graph

                                                            execution_graph 30259 57907e9 30260 57907fc 30259->30260 30261 579084c 30260->30261 30264 5790898 30260->30264 30274 5790888 30260->30274 30265 57908a7 30264->30265 30267 57908c1 30265->30267 30268 57909c9 30265->30268 30266 57908d1 30266->30261 30267->30266 30284 5790a98 30267->30284 30289 5790a87 30267->30289 30270 5790898 3 API calls 30268->30270 30271 5790888 3 API calls 30268->30271 30269 5790a84 30269->30261 30270->30266 30271->30266 30275 5790892 30274->30275 30278 57908c1 30274->30278 30276 57909c9 30275->30276 30275->30278 30282 5790898 3 API calls 30276->30282 30283 5790888 3 API calls 30276->30283 30277 5790a84 30277->30261 30279 57908d1 30278->30279 30280 5790a98 3 API calls 30278->30280 30281 5790a87 3 API calls 30278->30281 30279->30261 30280->30277 30281->30277 30282->30279 30283->30279 30285 5790aa7 30284->30285 30286 5790afc 30285->30286 30294 5790b00 30285->30294 30299 5790b10 30285->30299 30286->30269 30291 5790a98 30289->30291 30290 5790afc 30290->30269 30291->30290 30292 5790b10 3 API calls 30291->30292 30293 5790b00 3 API calls 30291->30293 30292->30290 30293->30290 30295 5790b10 30294->30295 30304 5790f98 30295->30304 30309 5790fc0 30295->30309 30296 5790b24 30296->30286 30300 5790b15 30299->30300 30302 5790f98 3 API calls 30300->30302 30303 5790fc0 3 API calls 30300->30303 30301 5790b24 30301->30286 30302->30301 30303->30301 30305 5790f9d 30304->30305 30308 5791123 30305->30308 30314 57958a8 30305->30314 30319 57958b8 30305->30319 30308->30296 30310 5790fcd 30309->30310 30311 5791123 30310->30311 30312 57958a8 3 API calls 30310->30312 30313 57958b8 3 API calls 30310->30313 30311->30296 30312->30311 30313->30311 30315 57958b3 30314->30315 30317 579591d 30314->30317 30322 5795e01 30315->30322 30317->30308 30321 5795e01 3 API calls 30319->30321 30320 57958d5 30321->30320 30323 5795e0d 30322->30323 30324 57958d5 30323->30324 30327 5795ed8 30323->30327 30338 5795ec7 30323->30338 30328 5795edd 30327->30328 30349 5791a40 30328->30349 30330 5795f09 30330->30324 30331 5795f05 30331->30330 30332 5791a4c RegQueryValueExA 30331->30332 30336 5795f31 30332->30336 30333 5795f88 30334 5795a48 RegCloseKey 30333->30334 30335 5795f96 30334->30335 30335->30324 30336->30333 30337 5791a4c RegQueryValueExA 30336->30337 30337->30333 30339 5795ecb 30338->30339 30341 5795f31 30338->30341 30340 5791a40 RegOpenKeyExA 30339->30340 30343 5795f05 30340->30343 30345 5791a4c RegQueryValueExA 30341->30345 30346 5795f88 30341->30346 30342 5795f09 30342->30324 30343->30342 30353 5791a4c 30343->30353 30345->30346 30357 5795a48 30346->30357 30351 5795fc8 RegOpenKeyExA 30349->30351 30352 57960c1 30351->30352 30355 5796140 RegQueryValueExA 30353->30355 30356 5796311 30355->30356 30358 57963d0 RegCloseKey 30357->30358 30360 5795f96 30358->30360 30360->30324 30361 16192f0 30365 16193d9 30361->30365 30373 16193e8 30361->30373 30362 16192ff 30366 16193fb 30365->30366 30367 1619413 30366->30367 30381 1619660 30366->30381 30385 1619670 30366->30385 30367->30362 30368 161940b 30368->30367 30369 1619610 GetModuleHandleW 30368->30369 30370 161963d 30369->30370 30370->30362 30374 16193fb 30373->30374 30375 1619413 30374->30375 30379 1619660 LoadLibraryExW 30374->30379 30380 1619670 LoadLibraryExW 30374->30380 30375->30362 30376 161940b 30376->30375 30377 1619610 GetModuleHandleW 30376->30377 30378 161963d 30377->30378 30378->30362 30379->30376 30380->30376 30382 1619670 30381->30382 30383 16196a9 30382->30383 30389 1618768 30382->30389 30383->30368 30386 1619684 30385->30386 30387 1618768 LoadLibraryExW 30386->30387 30388 16196a9 30386->30388 30387->30388 30388->30368 30390 1619850 LoadLibraryExW 30389->30390 30392 16198c9 30390->30392 30392->30383 30397 161bd00 DuplicateHandle 30398 161bd96 30397->30398 30399 161fe40 SetWindowLongW 30400 161feac 30399->30400 30401 161b6d0 GetCurrentProcess 30402 161b743 30401->30402 30403 161b74a GetCurrentThread 30401->30403 30402->30403 30404 161b780 30403->30404 30405 161b787 GetCurrentProcess 30403->30405 30404->30405 30406 161b7bd 30405->30406 30407 161b7e5 GetCurrentThreadId 30406->30407 30408 161b816 30407->30408 30409 6be3208 30410 6be320d 30409->30410 30414 6be3258 30410->30414 30418 6be3248 30410->30418 30411 6be3242 30415 6be325d 30414->30415 30422 6be3280 30415->30422 30416 6be3274 30416->30411 30419 6be3258 30418->30419 30421 6be3280 DnsQuery_A 30419->30421 30420 6be3274 30420->30411 30421->30420 30423 6be32ae 30422->30423 30424 6be32e5 30423->30424 30427 6be3398 30423->30427 30431 6be3389 30423->30431 30424->30416 30428 6be339d 30427->30428 30435 6be18fc 30428->30435 30432 6be3398 30431->30432 30433 6be18fc DnsQuery_A 30432->30433 30434 6be3402 30433->30434 30434->30424 30436 6be1901 DnsQuery_A 30435->30436 30438 6be374a 30436->30438 30255 5798a30 30256 5798a83 DeleteFileA 30255->30256 30258 5798b16 30256->30258 30393 161fbf8 30394 161fc60 CreateWindowExW 30393->30394 30396 161fd1c 30394->30396 30439 1616758 30442 1616344 30439->30442 30441 1616766 30443 161634f 30442->30443 30446 1616394 30443->30446 30445 161688d 30445->30441 30447 161639f 30446->30447 30450 16163c4 30447->30450 30449 1616962 30449->30445 30451 16163cf 30450->30451 30454 16163f4 30451->30454 30453 1616a62 30453->30449 30456 16163ff 30454->30456 30455 16171bc 30455->30453 30456->30455 30458 161b407 30456->30458 30459 161b429 30458->30459 30460 161b44d 30459->30460 30463 161b5b3 30459->30463 30467 161b5b8 30459->30467 30460->30455 30465 161b5c5 30463->30465 30464 161b5ff 30464->30460 30465->30464 30471 161a0ec 30465->30471 30469 161b5c5 30467->30469 30468 161b5ff 30468->30460 30469->30468 30470 161a0ec 5 API calls 30469->30470 30470->30468 30472 161a0f7 30471->30472 30474 161c2f8 30472->30474 30475 161b904 30472->30475 30474->30474 30476 161b90f 30475->30476 30477 16163f4 5 API calls 30476->30477 30478 161c367 30477->30478 30485 161c3d3 30478->30485 30491 161c3e0 30478->30491 30479 161c375 30483 161e0f0 LoadLibraryExW GetModuleHandleW 30479->30483 30484 161e0d8 LoadLibraryExW GetModuleHandleW 30479->30484 30480 161c3a0 30480->30474 30483->30480 30484->30480 30486 161c40e 30485->30486 30488 161c437 30486->30488 30490 161c4df 30486->30490 30497 161b9a0 30486->30497 30489 161c4da KiUserCallbackDispatcher 30488->30489 30488->30490 30489->30490 30492 161c40e 30491->30492 30493 161b9a0 GetFocus 30492->30493 30494 161c4df 30492->30494 30495 161c437 30492->30495 30493->30495 30495->30494 30496 161c4da KiUserCallbackDispatcher 30495->30496 30496->30494 30498 161b9ab 30497->30498 30499 161ba14 GetFocus 30498->30499 30500 161c9f5 30498->30500 30499->30500 30500->30488 30501 5790440 DispatchMessageW 30502 57904ac 30501->30502

                                                            Executed Functions

                                                            Function 0161B6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0161B730
                                                            • GetCurrentThread.KERNEL32 ref: 0161B76D
                                                            • GetCurrentProcess.KERNEL32 ref: 0161B7AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0161B803
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 20a435009b2231ecb16ddfcec5257221f189bb8d44f98b13109433ce036e417c
                                                            • Instruction ID: b4b10d615c6cbd5d3fda1b9a94a9b629d28a02eff8d9438bd5b414a835eab889
                                                            • Opcode Fuzzy Hash: 20a435009b2231ecb16ddfcec5257221f189bb8d44f98b13109433ce036e417c
                                                            • Instruction Fuzzy Hash: 4C5166B49013488FDB15CFA9C9487DEBBF0AF89318F28846AE419A7390C7746985CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0161B730
                                                            • GetCurrentThread.KERNEL32 ref: 0161B76D
                                                            • GetCurrentProcess.KERNEL32 ref: 0161B7AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0161B803
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 5c289689f33ae4172b1ea0edacaaa2e1cd72f63c604e981ea6785069611df6b2
                                                            • Instruction ID: 8c71ef7f5a31ca5d95a855b51bf2967d40b6016cbc4df3a591fe1992f26f296a
                                                            • Opcode Fuzzy Hash: 5c289689f33ae4172b1ea0edacaaa2e1cd72f63c604e981ea6785069611df6b2
                                                            • Instruction Fuzzy Hash: A55146B49007498FDB14CFA9D9487DEBBF1BF88314F24846AE019A7350C7746985CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BE3549, Relevance: 1.7, APIs: 1, Instructions: 218COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 640 6be3549-6be3555 641 6be355d-6be3574 640->641 642 6be3558-6be355c 640->642 643 6be358a-6be35eb 641->643 644 6be3576-6be3587 641->644 642->641 653 6be35c8-6be35f7 643->653 654 6be35f9-6be3683 643->654 660 6be36bc-6be36ef 654->660 661 6be3685-6be368f 654->661 669 6be36f7-6be3748 DnsQuery_A 660->669 661->660 662 6be3691-6be3693 661->662 665 6be36b6-6be36b9 662->665 666 6be3695-6be369f 662->666 665->660 667 6be36a3-6be36b2 666->667 668 6be36a1 666->668 667->667 670 6be36b4 667->670 668->667 671 6be374a-6be3750 669->671 672 6be3751-6be379e 669->672 670->665 671->672 677 6be37ae-6be37b2 672->677 678 6be37a0-6be37a4 672->678 680 6be37b4-6be37b7 677->680 681 6be37c1-6be37c5 677->681 678->677 679 6be37a6 678->679 679->677 680->681 682 6be37d6 681->682 683 6be37c7-6be37d3 681->683 685 6be37d7 682->685 683->682 685->685
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.631234001.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6be0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 237cc36f17ad916c364d74ef42207e7fc102a54924688c085423e399f67da856
                                                            • Instruction ID: 176ee7fc7703a570cd1c3ffe340f97fc64b8553820bc8df952f95de02bac82fb
                                                            • Opcode Fuzzy Hash: 237cc36f17ad916c364d74ef42207e7fc102a54924688c085423e399f67da856
                                                            • Instruction Fuzzy Hash: B58169B1D04309DFDB10DFA9C880AEEBBF1FF89314F20856AD415AB251DB74A945CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016193E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 686 16193e8-16193fd call 1618704 689 1619413-1619417 686->689 690 16193ff 686->690 691 1619419-1619423 689->691 692 161942b-161946c 689->692 739 1619405 call 1619660 690->739 740 1619405 call 1619670 690->740 691->692 697 1619479-1619487 692->697 698 161946e-1619476 692->698 693 161940b-161940d 693->689 694 1619548-1619608 693->694 734 1619610-161963b GetModuleHandleW 694->734 735 161960a-161960d 694->735 700 1619489-161948e 697->700 701 16194ab-16194ad 697->701 698->697 702 1619490-1619497 call 1618710 700->702 703 1619499 700->703 704 16194b0-16194b7 701->704 706 161949b-16194a9 702->706 703->706 707 16194c4-16194cb 704->707 708 16194b9-16194c1 704->708 706->704 711 16194d8-16194e1 call 1618720 707->711 712 16194cd-16194d5 707->712 708->707 717 16194e3-16194eb 711->717 718 16194ee-16194f3 711->718 712->711 717->718 719 1619511-1619515 718->719 720 16194f5-16194fc 718->720 741 1619518 call 1619940 719->741 742 1619518 call 1619968 719->742 720->719 721 16194fe-161950e call 1618730 call 1618740 720->721 721->719 724 161951b-161951e 727 1619541-1619547 724->727 728 1619520-161953e 724->728 728->727 736 1619644-1619658 734->736 737 161963d-1619643 734->737 735->734 737->736 739->693 740->693 741->724 742->724
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0161962E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 66b27ed9ffd5d660cd79cc398062f65588ffedab0458880fc914f2cb16ebe427
                                                            • Instruction ID: c26922eb37bca4c789dd12f0f7f4bee46f33b49a072735b40b928759c464acc8
                                                            • Opcode Fuzzy Hash: 66b27ed9ffd5d660cd79cc398062f65588ffedab0458880fc914f2cb16ebe427
                                                            • Instruction Fuzzy Hash: A2712270A00B058FD764CF2AD45166ABBF1BF88318F048A2ED58ADBB54D734E8158F91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05796136, Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 743 5796136-5796139 744 579613b-57961a3 743->744 745 57961a5-57961ad 743->745 744->745 746 57961af-57961b9 745->746 747 57961e6-579620e 745->747 746->747 749 57961bb-57961bd 746->749 756 579627f-5796283 747->756 757 5796210-5796237 747->757 750 57961bf-57961c9 749->750 751 57961e0-57961e3 749->751 754 57961cb 750->754 755 57961cd-57961dc 750->755 751->747 754->755 755->755 758 57961de 755->758 759 5796285-57962c3 756->759 760 57962c7-579630f RegQueryValueExA 756->760 767 5796239-579623b 757->767 768 5796267-579626c 757->768 758->751 759->760 762 5796318-5796326 760->762 763 5796311-5796317 760->763 764 5796328-5796334 762->764 765 579633c-5796363 762->765 763->762 764->765 775 5796373-5796377 765->775 776 5796365-5796369 765->776 771 579625d-5796265 767->771 772 579623d-5796247 767->772 773 579626e-579627a 768->773 771->773 778 5796249 772->778 779 579624b-5796259 772->779 773->756 783 5796379-579637d 775->783 784 5796387 775->784 776->775 782 579636b 776->782 778->779 779->779 781 579625b 779->781 781->771 782->775 783->784 786 579637f 783->786 787 5796388 784->787 786->784 787->787
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f92a4a119f4dd5a187cf23f447e169012dc54ff68a2a258e3a2b0b15590a1343
                                                            • Instruction ID: 36a34321b24e15c1b3b4f0aacb42f2f6885a508c28e0809f7605ed6456ffdf10
                                                            • Opcode Fuzzy Hash: f92a4a119f4dd5a187cf23f447e169012dc54ff68a2a258e3a2b0b15590a1343
                                                            • Instruction Fuzzy Hash: 767146B0D042189FDF18CFA8D884B9EBBB1BF49314F148629E815AB391DB749845CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05791A4C, Relevance: 1.7, APIs: 1, Instructions: 185registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 789 5791a4c-57961ad 793 57961af-57961b9 789->793 794 57961e6-579620e 789->794 793->794 795 57961bb-57961bd 793->795 801 579627f-5796283 794->801 802 5796210-5796237 794->802 796 57961bf-57961c9 795->796 797 57961e0-57961e3 795->797 799 57961cb 796->799 800 57961cd-57961dc 796->800 797->794 799->800 800->800 803 57961de 800->803 804 5796285-57962c3 801->804 805 57962c7-579630f RegQueryValueExA 801->805 812 5796239-579623b 802->812 813 5796267-579626c 802->813 803->797 804->805 807 5796318-5796326 805->807 808 5796311-5796317 805->808 809 5796328-5796334 807->809 810 579633c-5796363 807->810 808->807 809->810 820 5796373-5796377 810->820 821 5796365-5796369 810->821 816 579625d-5796265 812->816 817 579623d-5796247 812->817 818 579626e-579627a 813->818 816->818 823 5796249 817->823 824 579624b-5796259 817->824 818->801 828 5796379-579637d 820->828 829 5796387 820->829 821->820 827 579636b 821->827 823->824 824->824 826 579625b 824->826 826->816 827->820 828->829 831 579637f 828->831 832 5796388 829->832 831->829 832->832
                                                            APIs
                                                            • RegQueryValueExA.KERNELBASE(00000000,05795F31,00020119,00000000,00000000,?), ref: 057962FF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID:
                                                            • API String ID: 3660427363-0
                                                            • Opcode ID: 086457a5bcb613d22c15c93601350844cb09dcd437efa27df072e28e55f3831f
                                                            • Instruction ID: 356f9a54b1cafccc1bfdb6bb9e3bbbd11af3cc5e77a2469953ddc9e11fb0e4f9
                                                            • Opcode Fuzzy Hash: 086457a5bcb613d22c15c93601350844cb09dcd437efa27df072e28e55f3831f
                                                            • Instruction Fuzzy Hash: F9713970D04218DFDF18CFA9D884BAEBBB1BF49314F148529E819AB391DB749845CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BE18F5, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 834 6be18f5-6be18f9 835 6be18fc 834->835 836 6be1901-6be3683 834->836 835->836 839 6be36bc-6be36ef 836->839 840 6be3685-6be368f 836->840 847 6be36f7-6be3748 DnsQuery_A 839->847 840->839 841 6be3691-6be3693 840->841 843 6be36b6-6be36b9 841->843 844 6be3695-6be369f 841->844 843->839 845 6be36a3-6be36b2 844->845 846 6be36a1 844->846 845->845 848 6be36b4 845->848 846->845 849 6be374a-6be3750 847->849 850 6be3751-6be379e 847->850 848->843 849->850 855 6be37ae-6be37b2 850->855 856 6be37a0-6be37a4 850->856 858 6be37b4-6be37b7 855->858 859 6be37c1-6be37c5 855->859 856->855 857 6be37a6 856->857 857->855 858->859 860 6be37d6 859->860 861 6be37c7-6be37d3 859->861 863 6be37d7 860->863 861->860 863->863
                                                            APIs
                                                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06BE3738
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.631234001.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6be0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Query_
                                                            • String ID:
                                                            • API String ID: 428220571-0
                                                            • Opcode ID: ea0534ef30decd29a2ca0b6fd4381653bcef630967954acc93a6093217ad8984
                                                            • Instruction ID: 3ce4229b339244d057562106ef24c98353e4f367e274c43442c981e00960da86
                                                            • Opcode Fuzzy Hash: ea0534ef30decd29a2ca0b6fd4381653bcef630967954acc93a6093217ad8984
                                                            • Instruction Fuzzy Hash: 265123B1D002089FDB10CFA9C880BDDBBF1FF48304F24856AE814AB250DB74A845CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BE18FC, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 864 6be18fc-6be3683 868 6be36bc-6be3748 DnsQuery_A 864->868 869 6be3685-6be368f 864->869 878 6be374a-6be3750 868->878 879 6be3751-6be379e 868->879 869->868 870 6be3691-6be3693 869->870 872 6be36b6-6be36b9 870->872 873 6be3695-6be369f 870->873 872->868 874 6be36a3-6be36b2 873->874 875 6be36a1 873->875 874->874 877 6be36b4 874->877 875->874 877->872 878->879 884 6be37ae-6be37b2 879->884 885 6be37a0-6be37a4 879->885 887 6be37b4-6be37b7 884->887 888 6be37c1-6be37c5 884->888 885->884 886 6be37a6 885->886 886->884 887->888 889 6be37d6 888->889 890 6be37c7-6be37d3 888->890 892 6be37d7 889->892 890->889 892->892
                                                            APIs
                                                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06BE3738
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.631234001.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6be0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Query_
                                                            • String ID:
                                                            • API String ID: 428220571-0
                                                            • Opcode ID: c898bb44d811c3da431d1375bfa5773f00352d7cd882411d13eee099c3771521
                                                            • Instruction ID: 633bfcb07b16b95ef7e1f55c1d063f3eb97e46e5928e69716ddd11fcaaef056c
                                                            • Opcode Fuzzy Hash: c898bb44d811c3da431d1375bfa5773f00352d7cd882411d13eee099c3771521
                                                            • Instruction Fuzzy Hash: 0A51F1B1D002189FDB50CFA9C881BDEBBF1FF48314F24856AE819AB250DB74A945CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161FBEC, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 893 161fbec-161fc5e 894 161fc60-161fc66 893->894 895 161fc69-161fc70 893->895 894->895 896 161fc72-161fc78 895->896 897 161fc7b-161fcb3 895->897 896->897 898 161fcbb-161fd1a CreateWindowExW 897->898 899 161fd23-161fd5b 898->899 900 161fd1c-161fd22 898->900 904 161fd68 899->904 905 161fd5d-161fd60 899->905 900->899 906 161fd69 904->906 905->904 906->906
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0161FD0A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 21e0a6b7d51d39d0d85a0d279b2431e5f143a917939665b0cfb52b4c7cc47892
                                                            • Instruction ID: 1a6ca0012c7c7bf9bbc4cb1cf67b442c2fab5307925e20a3eb46b49996164dc0
                                                            • Opcode Fuzzy Hash: 21e0a6b7d51d39d0d85a0d279b2431e5f143a917939665b0cfb52b4c7cc47892
                                                            • Instruction Fuzzy Hash: C651D2B1D00349DFDB14CF99C884ADEBBB1FF88314F64856AE429AB214D774A945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 907 161fbf8-161fc5e 908 161fc60-161fc66 907->908 909 161fc69-161fc70 907->909 908->909 910 161fc72-161fc78 909->910 911 161fc7b-161fd1a CreateWindowExW 909->911 910->911 913 161fd23-161fd5b 911->913 914 161fd1c-161fd22 911->914 918 161fd68 913->918 919 161fd5d-161fd60 913->919 914->913 920 161fd69 918->920 919->918 920->920
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0161FD0A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 45b08318f2ecaed53d974f337c80b7aa1f74ac914e61d92b604512917a294d5b
                                                            • Instruction ID: f4edda1e56f316cd4e24957bf01af27353abfa84b61e57acc82fff176e36b0f6
                                                            • Opcode Fuzzy Hash: 45b08318f2ecaed53d974f337c80b7aa1f74ac914e61d92b604512917a294d5b
                                                            • Instruction Fuzzy Hash: FE41C0B1D00308DFDB14CF99C884ADEBBB5FF88314F64852AE819AB214D774A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05795FBC, Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 921 5795fbc-5795fbd 922 5796029-579602f 921->922 923 5795fbf-5795fc6 921->923 926 5796068-579606d 922->926 927 5796031-579603b 922->927 924 5795fc8-5795fcc 923->924 925 5795fcd-5796028 923->925 924->925 925->922 929 5796077-57960bf RegOpenKeyExA 926->929 927->926 928 579603d-579603f 927->928 931 5796041-579604b 928->931 932 5796062-5796065 928->932 933 57960c8-57960f9 929->933 934 57960c1-57960c7 929->934 935 579604d 931->935 936 579604f-579605e 931->936 932->926 940 5796109 933->940 941 57960fb-57960ff 933->941 934->933 935->936 936->936 938 5796060 936->938 938->932 943 579610a 940->943 941->940 942 5796101 941->942 942->940 943->943
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 057960AF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 8a47fe2bc2c9a32b54fb75f8fd63798bb98998a4d71692c01677c865769d8817
                                                            • Instruction ID: d2525577ba3401714c943ee9f1b15dd3f94e50c6f897bf57a38e708914b3e7e7
                                                            • Opcode Fuzzy Hash: 8a47fe2bc2c9a32b54fb75f8fd63798bb98998a4d71692c01677c865769d8817
                                                            • Instruction Fuzzy Hash: 894145B1D003589FCF14CF99D885B9EBBB1BF48314F14862AE818AB240DB759845DFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05791A40, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 057960AF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 835ae3b60e7af04d64ebd8637acaf17712d32f92c02b71ed2632c252e48f5a27
                                                            • Instruction ID: ed6b06a33e3b02ced98c3133ba7dc2369eeb0b95b2254770a211d15674ed2aea
                                                            • Opcode Fuzzy Hash: 835ae3b60e7af04d64ebd8637acaf17712d32f92c02b71ed2632c252e48f5a27
                                                            • Instruction Fuzzy Hash: 074155B0D00758DFCF14CF99D885B9EBBB1BF48314F10862AE819AB240DB749845DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05798A26, Relevance: 1.6, APIs: 1, Instructions: 95fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileA.KERNELBASE(?), ref: 05798B04
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: 215592071eba854b627859e5e7fc740bcbfec57801cc0958994622004d4d8d24
                                                            • Instruction ID: 43ea22a38531e46ee7dbefde6307217c9ea9048d961e8aa9dafeccde37914cd2
                                                            • Opcode Fuzzy Hash: 215592071eba854b627859e5e7fc740bcbfec57801cc0958994622004d4d8d24
                                                            • Instruction Fuzzy Hash: E84168B1D006188FDF14CFA9D94579EBBF1FB49314F188529D815AB380D7749846CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05798A30, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileA.KERNELBASE(?), ref: 05798B04
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: d95efb2022e581d56282bb62a38c66eb86f05f84d8474f1405578a06c96c68d8
                                                            • Instruction ID: 00758308f0e368a3adabc29a5b94738a630aa9762cae78690e6cb8021cc9fd3c
                                                            • Opcode Fuzzy Hash: d95efb2022e581d56282bb62a38c66eb86f05f84d8474f1405578a06c96c68d8
                                                            • Instruction Fuzzy Hash: 1B3157B1D002188FDF14CFA9D885B9EBBF1FB49314F188529E815A7380D774A846CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05795A58, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf83c8cd2c81c9b277ed1311e53a4184d01229e282233e7aed889f58ce35c85f
                                                            • Instruction ID: 8af7fd42d6c1218503b436b409d40a4d822897847bcb4bb9aaa97149b57870d7
                                                            • Opcode Fuzzy Hash: bf83c8cd2c81c9b277ed1311e53a4184d01229e282233e7aed889f58ce35c85f
                                                            • Instruction Fuzzy Hash: 803126B180D3948FCB06EFA9D8946DABFF0EF56254F0540ABC055AB292D7346504DB72
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0161BD87
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: bd92c96acc38cf5d5589601a9d090235241ee4ebbaf031a348aa10c021f9e560
                                                            • Instruction ID: 7f30298f7932212bfb44900e1ef446f57f68a913e698ce3e3095b06e70d42880
                                                            • Opcode Fuzzy Hash: bd92c96acc38cf5d5589601a9d090235241ee4ebbaf031a348aa10c021f9e560
                                                            • Instruction Fuzzy Hash: 6521E5B5D002489FDB10CF99D884ADEBFF4EB48324F14842AE958A3350C778A955CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0161BD87
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 7608d148767a6edb4052f59b057fda2fa2e527a68534d83bd9a7823c5eb1a96b
                                                            • Instruction ID: 3d4557c370002419ee73c4ba0e3a61044bee5c650f4091d8cfe73bc3ce58bfbc
                                                            • Opcode Fuzzy Hash: 7608d148767a6edb4052f59b057fda2fa2e527a68534d83bd9a7823c5eb1a96b
                                                            • Instruction Fuzzy Hash: 0F21C4B5D00248DFDB10CF99D985ADEBBF4EB48324F14842AE918A3350D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01619849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016196A9,00000800,00000000,00000000), ref: 016198BA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 2d376dab9f8cfbc914c9fac1b78027e34dc0ce0d5d57b34a014305d84452e177
                                                            • Instruction ID: f2a836ca8a2678135e2e32f97dbbe9762774af1fabbc6ffd4dad02d53fa02125
                                                            • Opcode Fuzzy Hash: 2d376dab9f8cfbc914c9fac1b78027e34dc0ce0d5d57b34a014305d84452e177
                                                            • Instruction Fuzzy Hash: 7721F4B6C00349DFDB10CFAAC844BDEBBF4AB89354F15846AD825A7700C375A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01618768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016196A9,00000800,00000000,00000000), ref: 016198BA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 733ba392e8568d5c93cbd00a36d0e0296c48b10a6258e1087478f1342d575a80
                                                            • Instruction ID: b3f26d78e47a32fd365fd20279dbc6c592ca90d9c93920a825a6115e9554e903
                                                            • Opcode Fuzzy Hash: 733ba392e8568d5c93cbd00a36d0e0296c48b10a6258e1087478f1342d575a80
                                                            • Instruction Fuzzy Hash: 6A11F4B6D00209CBDB10CF9AC844B9EBBF4EB88364F15842AD929A7700C374A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016195C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0161962E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 36df7d2b873626c3828dc0ae4eda233d3b7a8b52831c730b90cd9c9f7d1eed37
                                                            • Instruction ID: 0689cb57a0e421fdfe151ee6afad0b6e2841788a4680bb85b181fed51d539627
                                                            • Opcode Fuzzy Hash: 36df7d2b873626c3828dc0ae4eda233d3b7a8b52831c730b90cd9c9f7d1eed37
                                                            • Instruction Fuzzy Hash: 5A11D2B6D006598FDB10CF9AC845BDEFBF4EB89328F14882AD429A7600C374A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,?,?), ref: 0161FE9D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID:
                                                            • API String ID: 1378638983-0
                                                            • Opcode ID: 09b9ceb5b7e92fdaea9bef5cad8e63981b570b51e21f081c1cf78d829c847c00
                                                            • Instruction ID: 4929298ed840e03b563a8d18bb193408f0dbe73256e343877346ba464bbfaef2
                                                            • Opcode Fuzzy Hash: 09b9ceb5b7e92fdaea9bef5cad8e63981b570b51e21f081c1cf78d829c847c00
                                                            • Instruction Fuzzy Hash: 1B1113B1800249DFDB10CF99C585BDEBBF4EB88324F14845AD864A7641C374A945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05790438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DispatchMessage
                                                            • String ID:
                                                            • API String ID: 2061451462-0
                                                            • Opcode ID: 09e58755a8849c8f70dc84653b9c8a0e920b9cb4d2872f1d6f7b096e49c45ab7
                                                            • Instruction ID: 6f8399dc2d3e4dfa859433024f3317868264b9dc5d87ed4ead294505a0f63d7f
                                                            • Opcode Fuzzy Hash: 09e58755a8849c8f70dc84653b9c8a0e920b9cb4d2872f1d6f7b096e49c45ab7
                                                            • Instruction Fuzzy Hash: C411E0B1C007598FCB14CF9AE444B9EBBF4EB89224F14856AD829A3250D378A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 057963CA, Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.KERNELBASE(00000000), ref: 0579642F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 605f8ce2a475d43839a2456d24bb29771deaf127ab6b87c953940b4603319493
                                                            • Instruction ID: caf3d3f42147dce6d402ad8b316b01ef30a6c699d74dabf6af76524eae195b1f
                                                            • Opcode Fuzzy Hash: 605f8ce2a475d43839a2456d24bb29771deaf127ab6b87c953940b4603319493
                                                            • Instruction Fuzzy Hash: 421115B19003598FCB14CF99D849BDFBBF4EB89324F10842AD529B7650C774A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05795A48, Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.KERNELBASE(00000000), ref: 0579642F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 848dca229103b257c0710dea3ae27b98f1a7ce4be8685df8fc9baf436f01ce27
                                                            • Instruction ID: 3f650e44af29a385ffe2947d2f7eda78b1c988bd9b74b4aab79bfc154133e073
                                                            • Opcode Fuzzy Hash: 848dca229103b257c0710dea3ae27b98f1a7ce4be8685df8fc9baf436f01ce27
                                                            • Instruction Fuzzy Hash: E11103B19002598FCB10DF99D489BDEBBF4EB88324F10846AD529A7650C774A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0161FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,?,?), ref: 0161FE9D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627584152.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_1610000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID:
                                                            • API String ID: 1378638983-0
                                                            • Opcode ID: 61a057a35358863d2a2eab763acd83ca8252d80e069c8d9dbd20c7657475828c
                                                            • Instruction ID: 6612c2b2bc64451f64865130b908404688521dfd54982fce87bf5e617b716225
                                                            • Opcode Fuzzy Hash: 61a057a35358863d2a2eab763acd83ca8252d80e069c8d9dbd20c7657475828c
                                                            • Instruction Fuzzy Hash: 6A1103B58002489FDB10CF99D985BDEBBF8EB88324F14845AD828A3340C374A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05790440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.630373034.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_5790000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DispatchMessage
                                                            • String ID:
                                                            • API String ID: 2061451462-0
                                                            • Opcode ID: 5a72ef7385e76de1ffb9003f665cedeecfbf842530561be9c9ad0a0f6a94fa03
                                                            • Instruction ID: 79df06f3a3a1ee7f94156d192245b6b9f879a2d475cb59c93cafc97bf865fb9b
                                                            • Opcode Fuzzy Hash: 5a72ef7385e76de1ffb9003f665cedeecfbf842530561be9c9ad0a0f6a94fa03
                                                            • Instruction Fuzzy Hash: 601100B1C006488FCB10CF9AD448BCEFBF4EB89324F10842AD429B3210C378A544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D3B4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627354712.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_159d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 724ec94dda8193c1a82dfbf1e0a0ccbbd113e9eeb144c8fe4f3ec54e7dbfa561
                                                            • Instruction ID: dd53b7cd0daaac1b09f085bf5f75e6ce20bc4300ad2854f184d69ba6555925c0
                                                            • Opcode Fuzzy Hash: 724ec94dda8193c1a82dfbf1e0a0ccbbd113e9eeb144c8fe4f3ec54e7dbfa561
                                                            • Instruction Fuzzy Hash: 2521C1B1504244EFDF05DF54D9C0B6ABBB5FB88364F24C569E8090F246C376E856CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D4A0, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627354712.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_159d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e835ab1a76074615d3471aed749230ae412bb14f72cdb5d6ab9a3de2bb877e0d
                                                            • Instruction ID: 1df603c99ac60874cfa06d8255fdfd65992f9897917c10956a92000de2d21317
                                                            • Opcode Fuzzy Hash: e835ab1a76074615d3471aed749230ae412bb14f72cdb5d6ab9a3de2bb877e0d
                                                            • Instruction Fuzzy Hash: 592106B1504344DFDF05DF94D9C0B2ABFB5FB88368F248569D9090E246C376E855CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 015AD01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627382110.00000000015AD000.00000040.00000001.sdmp, Offset: 015AD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_15ad000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d65b64abcbaa5e0fe63b9d467560c77675c4969a3c82acd30dd29ea64d450780
                                                            • Instruction ID: 469cf4f1cc845a5ed04953d6ea84050ca060201415df46f03531e5032abb985c
                                                            • Opcode Fuzzy Hash: d65b64abcbaa5e0fe63b9d467560c77675c4969a3c82acd30dd29ea64d450780
                                                            • Instruction Fuzzy Hash: E4213371584300DFCB10EF54D8C0B1ABBB1FB88354F60C969D8090F642D33BD806CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 015AD006, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627382110.00000000015AD000.00000040.00000001.sdmp, Offset: 015AD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_15ad000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b7499a3de98546396d8a602ee9264796c01b1072a2cee8026bbaf325c55cc9b
                                                            • Instruction ID: 127522f7f23aabb99b30453a450845b3034a9b36cae0aa52dcb9ab98918f4c1a
                                                            • Opcode Fuzzy Hash: 3b7499a3de98546396d8a602ee9264796c01b1072a2cee8026bbaf325c55cc9b
                                                            • Instruction Fuzzy Hash: 762192755493808FCB03CF24D990719BF71FB46214F28C5EAD8498F657C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D49B, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627354712.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_159d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction ID: 357d6af1dde5dafcdbf886bcba53a008b7015863af721c93d2f5c5701087905a
                                                            • Opcode Fuzzy Hash: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction Fuzzy Hash: D111B176404280CFDF12CF54D9C4B1ABF71FB84324F28C6A9D9050B616C336D456CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D3AF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.627354712.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_159d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction ID: 2e1e3391851879b568760ec0585e97e32cc334215c74ab5af5b1a42da10d024f
                                                            • Opcode Fuzzy Hash: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction Fuzzy Hash: EB11AC76404280CFCF16CF54D9C4B5ABF71FB84324F28C6A9D8490B616C37AE45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384 Parent PID: 936 NEW PRICE ENQUIRY FROM PHILLIPINES.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:7.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:130
                                                            Total number of Limit Nodes:9

                                                            Graph

                                                            execution_graph 21024 492bb10 21025 492bb76 21024->21025 21029 492bcd0 21025->21029 21032 492bcc0 21025->21032 21026 492bc25 21036 492a584 21029->21036 21033 492bcc9 21032->21033 21034 492bcfe 21033->21034 21035 492a584 DuplicateHandle 21033->21035 21034->21026 21035->21034 21037 492bd38 DuplicateHandle 21036->21037 21038 492bcfe 21037->21038 21038->21026 21039 4924298 21041 49242a7 21039->21041 21040 492432d 21041->21040 21044 4924518 21041->21044 21049 4923a50 21041->21049 21045 4924521 21044->21045 21053 4924618 21045->21053 21057 4924608 21045->21057 21051 4923a5b 21049->21051 21050 4926dcd 21050->21041 21051->21050 21065 4925944 21051->21065 21055 492463f 21053->21055 21054 492471c 21055->21054 21061 492405c 21055->21061 21059 4924611 21057->21059 21058 492471c 21058->21058 21059->21058 21060 492405c CreateActCtxA 21059->21060 21060->21058 21062 49256a8 CreateActCtxA 21061->21062 21064 492576b 21062->21064 21066 492594f 21065->21066 21069 4925964 21066->21069 21068 4926ed5 21068->21051 21070 492596f 21069->21070 21073 4925994 21070->21073 21072 4926fba 21072->21068 21074 492599f 21073->21074 21077 49259c4 21074->21077 21076 49270aa 21076->21072 21078 49259cf 21077->21078 21079 4927569 21078->21079 21087 492780a 21078->21087 21081 49277be 21079->21081 21096 4929730 21079->21096 21100 4929721 21079->21100 21080 49277fc 21080->21076 21081->21080 21104 492b838 21081->21104 21110 492b848 21081->21110 21088 49277ad 21087->21088 21089 49277bc 21088->21089 21091 4927813 21088->21091 21094 4929730 3 API calls 21088->21094 21095 4929721 3 API calls 21088->21095 21090 49277fc 21089->21090 21092 492b838 3 API calls 21089->21092 21093 492b848 3 API calls 21089->21093 21090->21079 21091->21079 21092->21090 21093->21090 21094->21089 21095->21089 21116 492981b 21096->21116 21124 4929828 21096->21124 21097 492973f 21097->21081 21101 492973f 21100->21101 21102 492981b 2 API calls 21100->21102 21103 4929828 2 API calls 21100->21103 21101->21081 21102->21101 21103->21101 21105 492b841 21104->21105 21106 492b88d 21105->21106 21144 492b9d6 21105->21144 21148 492b9f8 21105->21148 21152 492b9b5 21105->21152 21106->21080 21111 492b869 21110->21111 21112 492b88d 21111->21112 21113 492b9d6 3 API calls 21111->21113 21114 492b9b5 3 API calls 21111->21114 21115 492b9f8 3 API calls 21111->21115 21112->21080 21113->21112 21114->21112 21115->21112 21117 492983b 21116->21117 21118 4929853 21117->21118 21132 4929ab0 21117->21132 21136 4929aa0 21117->21136 21118->21097 21119 492984b 21119->21118 21120 4929a50 GetModuleHandleW 21119->21120 21121 4929a7d 21120->21121 21121->21097 21125 492983b 21124->21125 21126 4929853 21125->21126 21130 4929ab0 LoadLibraryExW 21125->21130 21131 4929aa0 LoadLibraryExW 21125->21131 21126->21097 21127 4929a50 GetModuleHandleW 21129 4929a7d 21127->21129 21128 492984b 21128->21126 21128->21127 21129->21097 21130->21128 21131->21128 21133 4929ac4 21132->21133 21134 4929ae9 21133->21134 21140 4928b80 21133->21140 21134->21119 21137 4929aa9 21136->21137 21138 4929ae9 21137->21138 21139 4928b80 LoadLibraryExW 21137->21139 21138->21119 21139->21138 21141 4929c90 LoadLibraryExW 21140->21141 21143 4929d09 21141->21143 21143->21134 21145 492b9f9 21144->21145 21147 492ba3f 21145->21147 21156 492a4fc 21145->21156 21147->21106 21149 492ba05 21148->21149 21150 492ba3f 21149->21150 21151 492a4fc 3 API calls 21149->21151 21150->21106 21151->21150 21153 492b9c1 21152->21153 21154 492ba3f 21153->21154 21155 492a4fc 3 API calls 21153->21155 21154->21106 21155->21154 21157 492a507 21156->21157 21159 492c738 21157->21159 21160 492c124 21157->21160 21159->21159 21161 492c12f 21160->21161 21162 49259c4 3 API calls 21161->21162 21163 492c7a7 21161->21163 21162->21163 21166 492e55c 21163->21166 21167 492c7e0 21166->21167 21168 492e575 21166->21168 21167->21159 21170 492e9b0 LoadLibraryExW GetModuleHandleW 21168->21170 21171 492e9aa LoadLibraryExW GetModuleHandleW 21168->21171 21169 492e5ad 21170->21169 21171->21169 21172 66bf080 21173 66bf09e 21172->21173 21174 66bf0a8 21172->21174 21176 66bf0e8 21173->21176 21177 66bf0f6 21176->21177 21179 66bf114 21176->21179 21181 66bdcbc 21177->21181 21182 66bece0 FindCloseChangeNotification 21181->21182 21183 66bed47 21182->21183 21183->21174 21184 66bcf90 21185 66bd11b 21184->21185 21187 66bcfb6 21184->21187 21187->21185 21188 66b2ad8 21187->21188 21189 66bd210 PostMessageW 21188->21189 21190 66bd27c 21189->21190 21190->21187

                                                            Executed Functions

                                                            Function 04929828, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04929A6E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 7f642dcfcf3bdb88e248eb43343848268f577c8aedf1e8ca2a5a7ba3a145f4fb
                                                            • Instruction ID: e6baa24633c689b163ebe0132de56852b4fd2dca1bc25debe0d820967efeddd0
                                                            • Opcode Fuzzy Hash: 7f642dcfcf3bdb88e248eb43343848268f577c8aedf1e8ca2a5a7ba3a145f4fb
                                                            • Instruction Fuzzy Hash: 987112B0A00B158FD724DF2AD14165ABBF5BF88314F008A2ED09ADBA54DB35F805CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0492569D, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 58 492569d 59 49256a5-4925769 CreateActCtxA 58->59 61 4925772-49257cc 59->61 62 492576b-4925771 59->62 69 49257db-49257df 61->69 70 49257ce-49257d1 61->70 62->61 71 49257f0 69->71 72 49257e1-49257ed 69->72 70->69 74 49257f1 71->74 72->71 74->74
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 04925759
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: a83048ab50193d9a14285b08d2c009aa07a610db0a15246f2a09bdc93c511b32
                                                            • Instruction ID: f4cda7ccfdcb3865fa8f3f0fb3cff4ab4374d55161f1b0c6a8fde3dc4ea78c42
                                                            • Opcode Fuzzy Hash: a83048ab50193d9a14285b08d2c009aa07a610db0a15246f2a09bdc93c511b32
                                                            • Instruction Fuzzy Hash: 9E410570C00718DBDB24DFA9C9847DEBBF5BF88314F20806AD419AB255DB756946CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0492405C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 75 492405c-4925769 CreateActCtxA 78 4925772-49257cc 75->78 79 492576b-4925771 75->79 86 49257db-49257df 78->86 87 49257ce-49257d1 78->87 79->78 88 49257f0 86->88 89 49257e1-49257ed 86->89 87->86 91 49257f1 88->91 89->88 91->91
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 04925759
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 8da7138678097fa5d8b776995057237674ff41a7f5dd2d9be6b7212c2c829e1f
                                                            • Instruction ID: cf1ab5a7726b680eabc7d4c43d97827399817918aad5cebf725df01bb0495925
                                                            • Opcode Fuzzy Hash: 8da7138678097fa5d8b776995057237674ff41a7f5dd2d9be6b7212c2c829e1f
                                                            • Instruction Fuzzy Hash: 6841F170C00728CBDB24DFA9C944B9EBBB5BF88318F208069D419AB255DB716945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0492A514, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 92 492a514-492a515 93 492a581-492a58b 92->93 94 492a517 92->94 95 492bd38-492bdcc DuplicateHandle 93->95 94->93 96 492bdd5-492bdf2 95->96 97 492bdce-492bdd4 95->97 97->96
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0492BCFE,?,?,?,?,?), ref: 0492BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 87dac2f731073dce83d2e16d9e09ff6914d5eb198f3e21e84959e2780b2d8753
                                                            • Instruction ID: 1002bfa2b4580af0a99b2074840d0f8f55debe02dae7252e2c8bbeebf93c49e1
                                                            • Opcode Fuzzy Hash: 87dac2f731073dce83d2e16d9e09ff6914d5eb198f3e21e84959e2780b2d8753
                                                            • Instruction Fuzzy Hash: 812135B5D003189FDB10CF99D984AEEBBF4EB48324F14842AE854A3251D374A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0492A584, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 100 492a584-492bdcc DuplicateHandle 102 492bdd5-492bdf2 100->102 103 492bdce-492bdd4 100->103 103->102
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0492BCFE,?,?,?,?,?), ref: 0492BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: d8de32c0847a6e77e3aba923dc8b2bfd6c17f0a5e2e7bbf7625036894aed2da0
                                                            • Instruction ID: dbc936aaec665701b693cd3495cfef7547b92e1453b77f9802c5219c2da68644
                                                            • Opcode Fuzzy Hash: d8de32c0847a6e77e3aba923dc8b2bfd6c17f0a5e2e7bbf7625036894aed2da0
                                                            • Instruction Fuzzy Hash: A421E3B59003189FDB10CF99D984ADEBBF8EB48324F14842AE955A3350D378A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0492BD30, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 106 492bd30 107 492bd39-492bdcc DuplicateHandle 106->107 108 492bdd5-492bdf2 107->108 109 492bdce-492bdd4 107->109 109->108
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0492BCFE,?,?,?,?,?), ref: 0492BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 2a301997dda4ba05a41f174a64c8a9d0772a3e40c622a0354753e378f3160be1
                                                            • Instruction ID: ed65a8ec5a513e827dd2780d0e24f2d908d1bc9634f5326358f8f40c374eda7c
                                                            • Opcode Fuzzy Hash: 2a301997dda4ba05a41f174a64c8a9d0772a3e40c622a0354753e378f3160be1
                                                            • Instruction Fuzzy Hash: 022100B59002199FDB10CFA9D984ADEBBF4EB48324F14842AE824A3350D378A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04928B80, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 112 4928b80-4929cd0 114 4929cd2-4929cd5 112->114 115 4929cd8-4929d07 LoadLibraryExW 112->115 114->115 116 4929d10-4929d2d 115->116 117 4929d09-4929d0f 115->117 117->116
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04929AE9,00000800,00000000,00000000), ref: 04929CFA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 8e8562d4f3eb7604eb728e66f703d164e02dbe274efc1716f5daa409b538b798
                                                            • Instruction ID: 12730c62975af711979196dcc5058ef937737175b919d4ff5a7c83376b504104
                                                            • Opcode Fuzzy Hash: 8e8562d4f3eb7604eb728e66f703d164e02dbe274efc1716f5daa409b538b798
                                                            • Instruction Fuzzy Hash: 4F1103B6E003199FDB10CF9AC544ADEBBF4EB88324F10842AE429B7240C375A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 066BDC74, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 120 66bdc74-66bdc7b 121 66bece0-66bed45 FindCloseChangeNotification 120->121 122 66bed4e-66bed76 121->122 123 66bed47-66bed4d 121->123 123->122
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,066BEB91,?,?), ref: 066BED38
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.412540575.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_66b0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: 604a9317fa7893e353e1ab33e400f3aecd4624dbc10af98b443a0c78a20c6539
                                                            • Instruction ID: cfa1c585f83ae91456bf22bd8f3e9c324e5e437a40d663e86d16bbd01a7febf2
                                                            • Opcode Fuzzy Hash: 604a9317fa7893e353e1ab33e400f3aecd4624dbc10af98b443a0c78a20c6539
                                                            • Instruction Fuzzy Hash: 651166B1800708CFDB50CF99C545BDEBBF4EB88364F10846AE864A7340C378A985CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 066BDCBC, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 126 66bdcbc-66bed45 FindCloseChangeNotification 128 66bed4e-66bed76 126->128 129 66bed47-66bed4d 126->129 129->128
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,066BEB91,?,?), ref: 066BED38
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.412540575.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_66b0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: ec82cf0d1399b20038f295c425397db33b1d509af3f973cdf51bf1d7cfe5fbe0
                                                            • Instruction ID: 2a45838c42f1b24830d3be71b13447ad88540a9f1a2f4b4be2a89235eb66a99e
                                                            • Opcode Fuzzy Hash: ec82cf0d1399b20038f295c425397db33b1d509af3f973cdf51bf1d7cfe5fbe0
                                                            • Instruction Fuzzy Hash: 0E1155B1900708CFDB60CF99C545BDEBBF4EB88364F10842AE864A7340C378A985CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04929A08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 132 4929a08-4929a48 133 4929a50-4929a7b GetModuleHandleW 132->133 134 4929a4a-4929a4d 132->134 135 4929a84-4929a98 133->135 136 4929a7d-4929a83 133->136 134->133 136->135
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04929A6E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.409533024.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4920000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 90474bf8d219968e6c3816ec9d1c6cd649b2e978b0aa46c0358eafc76f90d185
                                                            • Instruction ID: d67a84347b1e6814b4404c25dc3d1bdc556b956d2229efdf27397ecf4925dafa
                                                            • Opcode Fuzzy Hash: 90474bf8d219968e6c3816ec9d1c6cd649b2e978b0aa46c0358eafc76f90d185
                                                            • Instruction Fuzzy Hash: 501110B2D003198FCB10CF9AC544BDEFBF8EB88324F10842AD429A7200C378A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 066B2AD8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 138 66b2ad8-66bd27a PostMessageW 140 66bd27c-66bd282 138->140 141 66bd283-66bd297 138->141 140->141
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 066BD26D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.412540575.00000000066B0000.00000040.00000001.sdmp, Offset: 066B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_66b0000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: c0f2e5972bbbf5718a4b5524d297ef30f8f9b91c56e4c4afbbdfda4a7feaf929
                                                            • Instruction ID: 34b9df9ef447bf65c2414d88157080be16aee15815cdc3ace4df3397f2f5f222
                                                            • Opcode Fuzzy Hash: c0f2e5972bbbf5718a4b5524d297ef30f8f9b91c56e4c4afbbdfda4a7feaf929
                                                            • Instruction Fuzzy Hash: AB11F2B5800348DFDB50DF99C989BDEBBF8EB48324F10842AE564B7240C375A994CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0087D4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405431357.000000000087D000.00000040.00000001.sdmp, Offset: 0087D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_87d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d0025c9a8b6dd24738dfcabc81fdbdf3ab408c090bec9e1f17d021973fcd820
                                                            • Instruction ID: b28e8ac5d82f84fae359e6293ad60f1937ad03e85a41801a2971503ae31bf27e
                                                            • Opcode Fuzzy Hash: 5d0025c9a8b6dd24738dfcabc81fdbdf3ab408c090bec9e1f17d021973fcd820
                                                            • Instruction Fuzzy Hash: EC21C1B1504344DFDB05DF14D9C0B26BB75FF88328F24C669E8099A24AC336E856DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0088D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405471030.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_88d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bdf2252ab7e1fcdbe609601e073d2b34d4f4b84d022c783528b3c2ff7654140f
                                                            • Instruction ID: 71884975427c1c2c7e35c954c3baa008f8b3b733733f3ec0245c3bd140b270e1
                                                            • Opcode Fuzzy Hash: bdf2252ab7e1fcdbe609601e073d2b34d4f4b84d022c783528b3c2ff7654140f
                                                            • Instruction Fuzzy Hash: B221D071604744EFDB14EF14D9C0B16BB65FB88328F24C569D8498B286C73AE846CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0088D1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405471030.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_88d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4017d86090e99d55d8700fd5c5ff43d63948f2034b0a0ed84f60d891b0c9e98c
                                                            • Instruction ID: d569e1da8432b53afa877e9a45521b23bb1145bedb615b0473faf7fb08697fb8
                                                            • Opcode Fuzzy Hash: 4017d86090e99d55d8700fd5c5ff43d63948f2034b0a0ed84f60d891b0c9e98c
                                                            • Instruction Fuzzy Hash: 1321F571504304EFDB05EF14D9C0B16BB65FB88318F24C66DD8098B2C1C73AE846CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0087D4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405431357.000000000087D000.00000040.00000001.sdmp, Offset: 0087D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_87d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction ID: 226cab75ddb04ade4910590195aa6034caa9225724653b6d49ff87937e3210af
                                                            • Opcode Fuzzy Hash: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction Fuzzy Hash: B0118176504280DFCB15CF14D9C4B16BF71FF94328F28C6A9D8494B65AC336D856CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0088D1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405471030.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_88d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction ID: 9c9bcf9439f67a8dfec6e1f46b2207f30c5e6154031950d6696f652d0aaba0f2
                                                            • Opcode Fuzzy Hash: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction Fuzzy Hash: 9A118B75504284DFCB11DF14D6C4B15BBA1FB84324F28C6AED8498B696C33AE85ACB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0088D017, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405471030.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_88d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction ID: 5d3ba42348ed41827e40e571d929f12c657277b7445e3cb2063e03f3ff09ab46
                                                            • Opcode Fuzzy Hash: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction Fuzzy Hash: BD11BB75504780CFCB11DF10D5C4B15BBA1FB84324F28C6AAD8498B696C33AD84ACFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0087D731, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405431357.000000000087D000.00000040.00000001.sdmp, Offset: 0087D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_87d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0eb0bf28b4b96d0420bfa6dcdc0bb96edb193cbbe05cb32faaacac610065e810
                                                            • Instruction ID: 549178ba9eb792fc3091820397f8979c5f0e6a8f931957d9e4791761188f17c9
                                                            • Opcode Fuzzy Hash: 0eb0bf28b4b96d0420bfa6dcdc0bb96edb193cbbe05cb32faaacac610065e810
                                                            • Instruction Fuzzy Hash: 3B01FC314083449AE7148A25CCC4766BBE8FF513B8F18C429EC099B28AC778D840C6B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0087D730, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.405431357.000000000087D000.00000040.00000001.sdmp, Offset: 0087D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_87d000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 57622019b42dede218485f263cc05c7c3fa4eaa6376957c45addd27f20ecc16b
                                                            • Instruction ID: 8b6c88eb207a0df338aa72ec1990451243b63e0f2e745198fbf46c855c3c8c78
                                                            • Opcode Fuzzy Hash: 57622019b42dede218485f263cc05c7c3fa4eaa6376957c45addd27f20ecc16b
                                                            • Instruction Fuzzy Hash: 46F062714053449AEB148A15CCC4B66FBA8EF91778F28C56AED085B286C3799C44CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: dhcpmon.exe PID: 4800 Parent PID: 936 dhcpmon.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:116
                                                            Total number of Limit Nodes:11

                                                            Graph

                                                            execution_graph 31083 753cf90 31084 753d11b 31083->31084 31086 753cfb6 31083->31086 31086->31084 31087 7532ad8 31086->31087 31088 753d210 PostMessageW 31087->31088 31089 753d27c 31088->31089 31089->31086 31182 133bb10 GetCurrentProcess 31183 133bb83 31182->31183 31184 133bb8a GetCurrentThread 31182->31184 31183->31184 31185 133bbc0 31184->31185 31186 133bbc7 GetCurrentProcess 31184->31186 31185->31186 31187 133bbfd 31186->31187 31188 133bc25 GetCurrentThreadId 31187->31188 31189 133bc56 31188->31189 31224 753ece0 FindCloseChangeNotification 31225 753ed47 31224->31225 31226 1339a0a 31227 1339a50 GetModuleHandleW 31226->31227 31228 1339a4a 31226->31228 31229 1339a7d 31227->31229 31228->31227 31090 133bd38 DuplicateHandle 31091 133bdce 31090->31091 31190 1334298 31193 13342a7 31190->31193 31191 133432d 31193->31191 31195 1334518 31193->31195 31200 1333a50 31193->31200 31196 133453d 31195->31196 31204 1334618 31196->31204 31208 1334608 31196->31208 31203 1333a5b 31200->31203 31201 1336dcd 31201->31193 31203->31201 31216 1335944 31203->31216 31206 133463f 31204->31206 31205 133471c 31205->31205 31206->31205 31212 133405c 31206->31212 31210 133463f 31208->31210 31209 133471c 31209->31209 31210->31209 31211 133405c CreateActCtxA 31210->31211 31211->31209 31213 13356a8 CreateActCtxA 31212->31213 31215 133576b 31213->31215 31217 133594f 31216->31217 31220 1335964 31217->31220 31219 1336ed5 31219->31203 31221 133596f 31220->31221 31222 1335994 LoadLibraryExW 31221->31222 31223 1336fba 31222->31223 31223->31219 31092 53e8ba0 31094 53e8bae 31092->31094 31093 53e8bb6 31094->31093 31097 53e7964 31094->31097 31096 53e8c85 31098 53e796f 31097->31098 31102 1336ff7 31098->31102 31106 1335994 31098->31106 31099 53e8e1c 31099->31096 31103 1337038 31102->31103 31110 13359c4 31103->31110 31105 13370aa 31105->31099 31107 133599f 31106->31107 31108 13359c4 LoadLibraryExW 31107->31108 31109 13370aa 31108->31109 31109->31099 31111 13359cf 31110->31111 31113 13377be 31111->31113 31117 1339721 31111->31117 31121 1339730 31111->31121 31112 13377fc 31112->31105 31113->31112 31125 133b83c 31113->31125 31118 133973f 31117->31118 31130 1339828 31117->31130 31135 133981a 31117->31135 31118->31113 31123 133981a LoadLibraryExW 31121->31123 31124 1339828 LoadLibraryExW 31121->31124 31122 133973f 31122->31113 31123->31122 31124->31122 31126 133b869 31125->31126 31127 133b88d 31126->31127 31152 133b9ea 31126->31152 31156 133b9f8 31126->31156 31127->31112 31131 133983b 31130->31131 31132 133984b 31131->31132 31140 1339ab0 31131->31140 31144 1339aa0 31131->31144 31132->31118 31136 133983b 31135->31136 31137 133984b 31136->31137 31138 1339ab0 LoadLibraryExW 31136->31138 31139 1339aa0 LoadLibraryExW 31136->31139 31137->31118 31138->31137 31139->31137 31141 1339ac4 31140->31141 31143 1339ae9 31141->31143 31148 1338b80 31141->31148 31143->31132 31145 1339ac4 31144->31145 31146 1338b80 LoadLibraryExW 31145->31146 31147 1339ae9 31145->31147 31146->31147 31147->31132 31149 1339c90 LoadLibraryExW 31148->31149 31151 1339d09 31149->31151 31151->31143 31153 133ba05 31152->31153 31154 133ba3f 31153->31154 31160 133a4fc 31153->31160 31154->31127 31158 133ba05 31156->31158 31157 133ba3f 31157->31127 31158->31157 31159 133a4fc LoadLibraryExW 31158->31159 31159->31157 31161 133a507 31160->31161 31163 133c738 31161->31163 31164 133c124 31161->31164 31165 133c12f 31164->31165 31166 13359c4 LoadLibraryExW 31165->31166 31167 133c7a7 31166->31167 31170 133e55c 31167->31170 31171 133c7e0 31170->31171 31172 133e575 31170->31172 31171->31163 31176 133e9b0 31172->31176 31179 133e9aa 31172->31179 31173 133e5ad 31177 1339828 LoadLibraryExW 31176->31177 31178 133e9b9 31177->31178 31178->31173 31180 1339828 LoadLibraryExW 31179->31180 31181 133e9b9 31179->31181 31180->31181 31181->31173

                                                            Executed Functions

                                                            Function 0133BB08, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0133BB70
                                                            • GetCurrentThread.KERNEL32 ref: 0133BBAD
                                                            • GetCurrentProcess.KERNEL32 ref: 0133BBEA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0133BC43
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 8251c2c6a26e48f59e228b7dc74e5d5761080e62285b9cb60c77b61fe8fb9fab
                                                            • Instruction ID: 91f4a2fe91cfde05c5c9494515bfa0ef95b0af416c7a3bf661e2eb316fb7c5c7
                                                            • Opcode Fuzzy Hash: 8251c2c6a26e48f59e228b7dc74e5d5761080e62285b9cb60c77b61fe8fb9fab
                                                            • Instruction Fuzzy Hash: 385157B4D00249CFDB14CFA9D948BDEBBF0EF88318F24856AE019A7350CB745945CB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0133BB10, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0133BB70
                                                            • GetCurrentThread.KERNEL32 ref: 0133BBAD
                                                            • GetCurrentProcess.KERNEL32 ref: 0133BBEA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0133BC43
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: cd94de2cb6d4c27d45e67af615a18c4c6b7e54cc1cde0f18667c769bb1495cba
                                                            • Instruction ID: 387d5e2983ae8259a5352bc1dff0ca09c16ab873434b99bd179f32925cad92a5
                                                            • Opcode Fuzzy Hash: cd94de2cb6d4c27d45e67af615a18c4c6b7e54cc1cde0f18667c769bb1495cba
                                                            • Instruction Fuzzy Hash: C55157B4D002498FDB14CFAAD548BDEBBF0EF88318F24856AE019A7350CB746944CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0133405C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 38 133405c-1335769 CreateActCtxA 41 1335772-13357cc 38->41 42 133576b-1335771 38->42 49 13357db-13357df 41->49 50 13357ce-13357d1 41->50 42->41 51 13357e1-13357ed 49->51 52 13357f0 49->52 50->49 51->52 54 13357f1 52->54 54->54
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 01335759
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 99c0465e747a525dcb802b94f9ccc28dfa4946e1e9fcf34b9f33a673ecd02f4c
                                                            • Instruction ID: 1f181914d6757430c5eec6c58f2c58c874895fa81c47cf7a694196f9807f8ad5
                                                            • Opcode Fuzzy Hash: 99c0465e747a525dcb802b94f9ccc28dfa4946e1e9fcf34b9f33a673ecd02f4c
                                                            • Instruction Fuzzy Hash: B841F3B0C0071DCBDB24DFA9C884B9EBBB5BF89308F248069D419AB251DB716945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013356A0, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 55 13356a0-1335769 CreateActCtxA 57 1335772-13357cc 55->57 58 133576b-1335771 55->58 65 13357db-13357df 57->65 66 13357ce-13357d1 57->66 58->57 67 13357e1-13357ed 65->67 68 13357f0 65->68 66->65 67->68 70 13357f1 68->70 70->70
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 01335759
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 6a1a1374c301f7dad879f5613b7b537bfaef9499e36ec3b01f7cd65131e8d014
                                                            • Instruction ID: f727ca25aeb9795b84d643f985348b0ab882c3bd0f048f114897a877d5552069
                                                            • Opcode Fuzzy Hash: 6a1a1374c301f7dad879f5613b7b537bfaef9499e36ec3b01f7cd65131e8d014
                                                            • Instruction Fuzzy Hash: 0041F271C00729CFDB24CFA9C884BDEBBB5BF89308F248169D419AB251DB756946CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0133BD37, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 71 133bd37-133bdcc DuplicateHandle 72 133bdd5-133bdf2 71->72 73 133bdce-133bdd4 71->73 73->72
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 242889a8a4141528d395a622206f596ad2e27d2530053ef7bff272e78a124f96
                                                            • Instruction ID: 5e3db5212136e6ff86b263d2fddddb2338d7d806bc8d079398d2600229958f66
                                                            • Opcode Fuzzy Hash: 242889a8a4141528d395a622206f596ad2e27d2530053ef7bff272e78a124f96
                                                            • Instruction Fuzzy Hash: C221E0B59002589FDB10CFA9D884AEEBFF4EB48364F14842AE854A3350D378A955CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0133BD38, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 76 133bd38-133bdcc DuplicateHandle 77 133bdd5-133bdf2 76->77 78 133bdce-133bdd4 76->78 78->77
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133BDBF
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 66865d0ca651d14654873e8c4fdc49727b18f1e84067254892007be46ffc8af7
                                                            • Instruction ID: 28b16bdb60e1809182d1cdf63ed08748937dfebfd8af2c528e71e092194c7b69
                                                            • Opcode Fuzzy Hash: 66865d0ca651d14654873e8c4fdc49727b18f1e84067254892007be46ffc8af7
                                                            • Instruction Fuzzy Hash: 9321C2B59002589FDB10CFA9D884ADEFBF8EB48364F14842AE954A3350D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01338B80, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 81 1338b80-1339cd0 83 1339cd2-1339cd5 81->83 84 1339cd8-1339d07 LoadLibraryExW 81->84 83->84 85 1339d10-1339d2d 84->85 86 1339d09-1339d0f 84->86 86->85
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01339AE9,00000800,00000000,00000000), ref: 01339CFA
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 751a5503dfb842f2139ac3dda7bc4b9ff5a6431d7dd22d3ab46cf4574c39e330
                                                            • Instruction ID: 1ce1f8f5efd9ad4c5dcae18b7c933c206d44d018a74b8298d9fa339def307e53
                                                            • Opcode Fuzzy Hash: 751a5503dfb842f2139ac3dda7bc4b9ff5a6431d7dd22d3ab46cf4574c39e330
                                                            • Instruction Fuzzy Hash: 5411F4B69002099BDB14CF9AD444B9EBBF4EB88358F10842AD415A7600C3B4A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0753ECE0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 100 753ece0-753ed45 FindCloseChangeNotification 101 753ed47-753ed4d 100->101 102 753ed4e-753ed76 100->102 101->102
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 0753ED38
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.419810952.0000000007530000.00000040.00000001.sdmp, Offset: 07530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7530000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: bfb666af342e84cb44f63df95177449f297bb0dff49a5a0628629f9af9d28111
                                                            • Instruction ID: f2ff1fbeb2a59d7b23e069c56fc14de35d65cdb247ed9cd281f854bfd62b6dc4
                                                            • Opcode Fuzzy Hash: bfb666af342e84cb44f63df95177449f297bb0dff49a5a0628629f9af9d28111
                                                            • Instruction Fuzzy Hash: 811145B58003098FCB10CF99C485BDEBBF4EB48364F14882AD868A7740D778A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07532AD8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 95 7532ad8-753d27a PostMessageW 97 753d283-753d297 95->97 98 753d27c-753d282 95->98 98->97
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0753D26D
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.419810952.0000000007530000.00000040.00000001.sdmp, Offset: 07530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7530000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 62c18eb9ac05b94cb8b47ccdf2711f29c4cc88e2a76cc7dce680fc7ecea3ea02
                                                            • Instruction ID: a340ac9e1334aad8946f9bb66ac0dc6a2530dfcca695074b4bdcdb02a43e336a
                                                            • Opcode Fuzzy Hash: 62c18eb9ac05b94cb8b47ccdf2711f29c4cc88e2a76cc7dce680fc7ecea3ea02
                                                            • Instruction Fuzzy Hash: 5A1106B59003499FCB10DF99D485BDEBBF8FB49364F10842AE468B7600C3B5A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01339A08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 89 1339a08-1339a48 90 1339a50-1339a7b GetModuleHandleW 89->90 91 1339a4a-1339a4d 89->91 92 1339a84-1339a98 90->92 93 1339a7d-1339a83 90->93 91->90 93->92
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01339A6E
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 7e30f2292b9a0b1a44b43c1958161dd9707e35ca77219919e7d959e475f3f0ef
                                                            • Instruction ID: bec59567f24930129ab30b1f87bd18fd7625efb4f6a29dc9149c927423803fb9
                                                            • Opcode Fuzzy Hash: 7e30f2292b9a0b1a44b43c1958161dd9707e35ca77219919e7d959e475f3f0ef
                                                            • Instruction Fuzzy Hash: 271102B5C00219CFDB10CF9AC444BDEFBF4EB88328F10852AD469A7600C3B4A546CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01339A0A, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 105 1339a0a-1339a48 106 1339a50-1339a7b GetModuleHandleW 105->106 107 1339a4a-1339a4d 105->107 108 1339a84-1339a98 106->108 109 1339a7d-1339a83 106->109 107->106 109->108
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01339A6E
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.414634029.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_1330000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: dd46c3522af8a811eb88a446db96e0e26b79c381bcf4057297efaaeeffcac8cf
                                                            • Instruction ID: ece40117df7e0e8d82bd52e6d36d6b2a10ede9307d8ea2cda521ea7a2973195e
                                                            • Opcode Fuzzy Hash: dd46c3522af8a811eb88a446db96e0e26b79c381bcf4057297efaaeeffcac8cf
                                                            • Instruction Fuzzy Hash: 801102B5C00219CEDB10CF9AD444BDEBBF4EB88328F10852AD469A7600C3B4A546CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E8CEF, Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 829658cb15da287a7149f1ac35ab679791fc63d952e97d700f6610b3c5cc267f
                                                            • Instruction ID: b3a19ee6ec42e4a2f7af2aacf89ff5f8c518afa4a43f7c407b2fd3dd7572bf2b
                                                            • Opcode Fuzzy Hash: 829658cb15da287a7149f1ac35ab679791fc63d952e97d700f6610b3c5cc267f
                                                            • Instruction Fuzzy Hash: 62916F35B007018FDB04EF29D4947A9B7A2FF88304F558A79D80AAF396DF71A945CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7964, Relevance: .2, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 992f10aaedff64c95b12cf1724eacbb96abc2aeafee2ba5255302ca28d0a38f5
                                                            • Instruction ID: aa453f02a18bbc32364defad2b230fefe928f783b79569c01d8a21d39a509053
                                                            • Opcode Fuzzy Hash: 992f10aaedff64c95b12cf1724eacbb96abc2aeafee2ba5255302ca28d0a38f5
                                                            • Instruction Fuzzy Hash: 24916F35B007018BDB04EF29D4947A9B7B2FF88304F558A79E80AAF396DF71A945CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EBE58, Relevance: .2, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 927953d61b4b7a3c2cf47c74f4486cbae91596ee350b6767b5377039bd5b8c39
                                                            • Instruction ID: fd512c2bcfe4387da83e577062a0a4b95db36b73d28528aa716054ce472a2517
                                                            • Opcode Fuzzy Hash: 927953d61b4b7a3c2cf47c74f4486cbae91596ee350b6767b5377039bd5b8c39
                                                            • Instruction Fuzzy Hash: 93719F74A01219EFCB15DFA9D894DAEBBB6FF48224B114098F901AB361DB71EC81CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EA6E0, Relevance: .2, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b31dfb846234e997ee9a762e031882b39be1512351ec8dc14e4ac578edd6bcf4
                                                            • Instruction ID: 3d2d75b93b08e94633aaaebf29eabb5e638e8753f7ecefa655f37474404e896b
                                                            • Opcode Fuzzy Hash: b31dfb846234e997ee9a762e031882b39be1512351ec8dc14e4ac578edd6bcf4
                                                            • Instruction Fuzzy Hash: 1D51C331A04209CFCB15EBA4D8996AEBBF2FF85308F14852AD006E7390DF749D46DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1AB0, Relevance: .2, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 218f51a9554b33b19ab5f947f4ce34e26a1e19a951457737851a0608da2d696f
                                                            • Instruction ID: 61d78ba870473c54a10ec4c6d92b9fae0fb8126fef1a9ed7a9453785a674c7f7
                                                            • Opcode Fuzzy Hash: 218f51a9554b33b19ab5f947f4ce34e26a1e19a951457737851a0608da2d696f
                                                            • Instruction Fuzzy Hash: 28519E35B05219CFCB25DBA9C4906EEB7F6FFC8214F54456AC10AE7680EBB4E901CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E249C, Relevance: .2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c309fd83e680c8e38d95924c22c0b89c56d7ac8feb7cab0d5723ee2014978827
                                                            • Instruction ID: c4b41f10ec148160daab6b038819cab4586d4b577463258bc21654b8c8686945
                                                            • Opcode Fuzzy Hash: c309fd83e680c8e38d95924c22c0b89c56d7ac8feb7cab0d5723ee2014978827
                                                            • Instruction Fuzzy Hash: 3951EF31B002594FCB21EB79CC4887EBBFAEFC5224B148569E019CB391EF70AD058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED5A8, Relevance: .2, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a2dccd124da4fa1d7d49370734ef93f2e12a5f2f139b00ef51d4ddbfb2047f4
                                                            • Instruction ID: 02701984bafb5c5a06899ca17799dda91a205a322e44efaa4951fad089c3b7fb
                                                            • Opcode Fuzzy Hash: 1a2dccd124da4fa1d7d49370734ef93f2e12a5f2f139b00ef51d4ddbfb2047f4
                                                            • Instruction Fuzzy Hash: AB51B131A046198FCB18EF78D4544AEBBF2FF85318720866DD41A9B391DB35AD42CBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECE81, Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 176f179536e02b69e67fcf3e7174b909fec8638b895916c0da4464e16f855975
                                                            • Instruction ID: 84df80a3ae502137872a34d9393b74f19e8c256d284ab3f7db647445335c6c48
                                                            • Opcode Fuzzy Hash: 176f179536e02b69e67fcf3e7174b909fec8638b895916c0da4464e16f855975
                                                            • Instruction Fuzzy Hash: 2A51F935A106198FCB04EF68C89899DB7F5FF89704B1585A9E506EB371EB70AC45CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECE90, Relevance: .1, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52100d79a349f7d9938c587d38ece7a095a406c95362a248eec79e67031606e8
                                                            • Instruction ID: 4e20d7564b907c3b49cebd961c9e0bf17dab9835d57e12d4661912240c66c8de
                                                            • Opcode Fuzzy Hash: 52100d79a349f7d9938c587d38ece7a095a406c95362a248eec79e67031606e8
                                                            • Instruction Fuzzy Hash: 4051E634A10619CFCB04EF68C8989ADBBF5FF89704B1585A9E506EB371EB71AC45CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E00C4, Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c3868048e054912312ab46b789fa90189d02ac1e71ca91ceec087ca454eb4c6
                                                            • Instruction ID: 9256b04a3fc5714d8e63669a826d9403999d5a659ad7d3e25cbbcc5dce33e61a
                                                            • Opcode Fuzzy Hash: 0c3868048e054912312ab46b789fa90189d02ac1e71ca91ceec087ca454eb4c6
                                                            • Instruction Fuzzy Hash: 63319030E12219DFCB18EFA0E548AADBBB2FF84310F118569E44277691CB709966CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EC2A0, Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 994a3fb69cb119b06d366668a515fbfc7e527f9fdf6eee33b75fe60b8727bc1b
                                                            • Instruction ID: 48d8fedded15b1a75ea7af3f3f1ef951f0df2d2775f62e9f362a24cec4468707
                                                            • Opcode Fuzzy Hash: 994a3fb69cb119b06d366668a515fbfc7e527f9fdf6eee33b75fe60b8727bc1b
                                                            • Instruction Fuzzy Hash: 5E415A30B142688FDB14DBA9C894EADBBF6FF89604F1450A9E501EB3A1CB75EC00CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EA200, Relevance: .1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f285d5a7e99d37bc51183c3a806cfd0379c3d3e12b02f827b176f1242bbe43ce
                                                            • Instruction ID: d3987c814ac9fe7336d9e09b9b250557d55cf5fb384fb980064230bd2e0aa518
                                                            • Opcode Fuzzy Hash: f285d5a7e99d37bc51183c3a806cfd0379c3d3e12b02f827b176f1242bbe43ce
                                                            • Instruction Fuzzy Hash: 45516E30A00209CFCB15EFA8C595A9DB7F1EF89304F5488ADE406AB3A1DB75AD05CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EAD38, Relevance: .1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67c62a4c1d51d800c3643790c450a98a68e15ebc15bdb5f2b06e6a8c06379daf
                                                            • Instruction ID: 08e032ad397175330f885482cee6edab450a4b1c54fd5c1e84a720fe410d1134
                                                            • Opcode Fuzzy Hash: 67c62a4c1d51d800c3643790c450a98a68e15ebc15bdb5f2b06e6a8c06379daf
                                                            • Instruction Fuzzy Hash: CB510B75A01219AFDB14DF94D598BEEBBF2FF88310F108459E905A73A0CB71AD41CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E2110, Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c5a3eed4c6d2ce464872af8e3be794fea1a81883d6c49150093a4877f6e927e
                                                            • Instruction ID: aac2051318150bc46b97b4c9399150e4561c09032da4608ad87d0d7f0614d545
                                                            • Opcode Fuzzy Hash: 1c5a3eed4c6d2ce464872af8e3be794fea1a81883d6c49150093a4877f6e927e
                                                            • Instruction Fuzzy Hash: 35412331B042188BCF06DBA4C850AEF7BBAEFC9308F114569E505AB391DF79AD05C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EA4B8, Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9211dfac61316ea8dbef241dc2c18df47eb961d3ed978cac8cb7d8fd66d1fab8
                                                            • Instruction ID: f7a96320f934f48da0d39ee37c211d2ef51d117c4626b910fb566876f6d94b23
                                                            • Opcode Fuzzy Hash: 9211dfac61316ea8dbef241dc2c18df47eb961d3ed978cac8cb7d8fd66d1fab8
                                                            • Instruction Fuzzy Hash: 5341FB35A042298FDF14EBA8C898B9DB7F1FF89314F114058E505AB3A1DB79A801CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EA228, Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aab5f21f3e38307c4cf9649a97115e55827ba83e68f3acd18b6bf4acd526f565
                                                            • Instruction ID: 047543f355909d90fc853a4c4653ca9fde9ee3721a82029148d3d81e34c263c6
                                                            • Opcode Fuzzy Hash: aab5f21f3e38307c4cf9649a97115e55827ba83e68f3acd18b6bf4acd526f565
                                                            • Instruction Fuzzy Hash: B8415F30A00209CFCB14EFA8D59499DB7F2FF89308F508969E416AB3A1DBB5AD05CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED780, Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f62762742bc69aa4eb2518789f359718a13174dfaac66214ea845ac3af644c9
                                                            • Instruction ID: bcda3f489a04220c3833b77512e16b170ecdb1640630eec7d3deade9521b9644
                                                            • Opcode Fuzzy Hash: 4f62762742bc69aa4eb2518789f359718a13174dfaac66214ea845ac3af644c9
                                                            • Instruction Fuzzy Hash: 70411A31B112299FCB1ADBB9D8846EEB7F2BF48204F14492DE116A7390DB749D41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E8BA0, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18c806cae3508f4cdd910049ea244cdf1c54b710b5977fe63d90b91e2a8eb05
                                                            • Instruction ID: 786199a4e733bb4cdec8e211d4c2fa80bb69cf2bdbcb1c10f58397e958e95de2
                                                            • Opcode Fuzzy Hash: b18c806cae3508f4cdd910049ea244cdf1c54b710b5977fe63d90b91e2a8eb05
                                                            • Instruction Fuzzy Hash: C731D430B042250FE718E778D4657AEB7E6DFC5714F1481B9E41AAB3E1CE749D028792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EEA80, Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e88ed0ccc3502a8d58d7ee44d2482fee8541f4c6092b90e5857e578fa57c43f4
                                                            • Instruction ID: 8490498c1bc0631389ebbe8b18444e6ade02e84dc46a1079e92103c3f684c958
                                                            • Opcode Fuzzy Hash: e88ed0ccc3502a8d58d7ee44d2482fee8541f4c6092b90e5857e578fa57c43f4
                                                            • Instruction Fuzzy Hash: 1841E675A0020A9FCB40DF68D884A9EFBF5FF49314B14C699E919AB311E770E949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E2106, Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79df6c33ca3677f8a6587dfbf91a1bac20993576576a70973ed5ddd39fbd20d2
                                                            • Instruction ID: c85c3b315c776845b16b1478934133ba57ad194429a7135a3ee2d9bbe8e37ffd
                                                            • Opcode Fuzzy Hash: 79df6c33ca3677f8a6587dfbf91a1bac20993576576a70973ed5ddd39fbd20d2
                                                            • Instruction Fuzzy Hash: 30313436A042299BCB05DBA4C850ADFBBFAAF88304F014569E505BB381EB75AD45C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E26E0, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 42205183ef0fb2d294123458b1358128a46b1af7757977fddcf02171cbad5958
                                                            • Instruction ID: 6feb2f52eafd07bbc053a79f918c39aace83a3ea4cfe212ca02b24f9a6bd2b4e
                                                            • Opcode Fuzzy Hash: 42205183ef0fb2d294123458b1358128a46b1af7757977fddcf02171cbad5958
                                                            • Instruction Fuzzy Hash: 8F312436A042289BCB05DBA4C840ADFBBFAEF88304F014579E505BB381EB75AD05C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECAB0, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: feb5971797acd4934a0e9ba75ff171f1fb222ee318ebc158102412586f0e087a
                                                            • Instruction ID: 1f37e2c75e4f6fd5feb69d65e3fee26b472a54cc7c94bb7ff5aaf5b62b1f927d
                                                            • Opcode Fuzzy Hash: feb5971797acd4934a0e9ba75ff171f1fb222ee318ebc158102412586f0e087a
                                                            • Instruction Fuzzy Hash: 3C318071E047118BDB04EF79D48475577B6FF84314F498E79DC096B286EB30A894CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EEA90, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a9e95ae1ff78fb0e1f76528e5e80c5c8af17cea713ee34c7bff4366bda918262
                                                            • Instruction ID: 8cf3504dab2afe0123eb25dadef6d9fbde713f5ca4dc6a4b7bf8aa25e3de102a
                                                            • Opcode Fuzzy Hash: a9e95ae1ff78fb0e1f76528e5e80c5c8af17cea713ee34c7bff4366bda918262
                                                            • Instruction Fuzzy Hash: F141F675A0020A9FCB40DF68D88499EFBF5FF49314B14C699E918AB311E770A949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EDBD0, Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 795c34996dabacfd19990d97f35ee89173eb6f3d72ea358321df2265f3be7e14
                                                            • Instruction ID: 7cbdf567b450145c27ed0e994378919060edcd61406138b775008abde3c7fc00
                                                            • Opcode Fuzzy Hash: 795c34996dabacfd19990d97f35ee89173eb6f3d72ea358321df2265f3be7e14
                                                            • Instruction Fuzzy Hash: E9319071E047118BDB04EF79D48479677B6FF84314F598A7ADC0A6B386DB30A894CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED76F, Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea4bf708248618d47bc33bf33ad5bfd18dc6c30676472350d813dd070fb08e2a
                                                            • Instruction ID: d0e4c0843f15bc199a960ce6dbe488716373b22aa21ce3d9ae0aab8cfac33d60
                                                            • Opcode Fuzzy Hash: ea4bf708248618d47bc33bf33ad5bfd18dc6c30676472350d813dd070fb08e2a
                                                            • Instruction Fuzzy Hash: 2431AE31B012299FCB16DAB9D4947EEB7F6BF48300F00492EE516A7390EB70A941CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EC326, Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f92d59e6a00a6240bc8636abdf3297497fdae3e8381c8091cc233dab56f89d06
                                                            • Instruction ID: ec13206a0e38476bf16d8dd717231da54095c9346a9d15e44bdba0004328c581
                                                            • Opcode Fuzzy Hash: f92d59e6a00a6240bc8636abdf3297497fdae3e8381c8091cc233dab56f89d06
                                                            • Instruction Fuzzy Hash: 6E3116357142288FDB10DBA9C494EACBBF6BF49705F5410A9E501DB3A2CBB5DC01CB11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EC5B9, Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c4d5ea8ca8623b402b63fa96754838f3b3cccc9f51e3fe39553ed520bd7d29a
                                                            • Instruction ID: 3b37dc66232aee508989bc1f3cc4f965694e4223d171d87cf5d8da6108790053
                                                            • Opcode Fuzzy Hash: 8c4d5ea8ca8623b402b63fa96754838f3b3cccc9f51e3fe39553ed520bd7d29a
                                                            • Instruction Fuzzy Hash: 6E21F6353105248FCB58EB2DD898D6E7BE6FF89A1572600A9E506CB3B5DA71DC028B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E9440, Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4b68e6a65ed6faaefe37c482515d6cf8c44f7f18041e067511172cbeb436585
                                                            • Instruction ID: bec135a118b4e5970bf6dc7ce6fd027d4de5e3a370da6b30ad822933a0af22c9
                                                            • Opcode Fuzzy Hash: e4b68e6a65ed6faaefe37c482515d6cf8c44f7f18041e067511172cbeb436585
                                                            • Instruction Fuzzy Hash: BE311232D00B099ECB01AFB8C8544D9F771FF95304B119B5AE95967221FB30E695CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EAD29, Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abab63b0fc22eef0793263e80a876904ef6afee0afb153f4e018d02e657b9531
                                                            • Instruction ID: 7066c4c4eb798f36d1119f86b021bf19988c515878f1fa249b9f87a63179e0b8
                                                            • Opcode Fuzzy Hash: abab63b0fc22eef0793263e80a876904ef6afee0afb153f4e018d02e657b9531
                                                            • Instruction Fuzzy Hash: 6E313674A012199FDB10CF54D595BAEBBF2BF48310F158468E905B7790CB71AD41CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F9D4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413653691.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_f9d000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7beaeaaa95fc1d642fef42cefac2ae59e7888bcce526a07d5c9f359d66f3f2ab
                                                            • Instruction ID: b643049826a806c2e5916a839fbf1a0ce7d6637880963d90adaeb801adead442
                                                            • Opcode Fuzzy Hash: 7beaeaaa95fc1d642fef42cefac2ae59e7888bcce526a07d5c9f359d66f3f2ab
                                                            • Instruction Fuzzy Hash: CF21F5B2904344DFEF15DF14D9C0B26BF65FB88368F388569E8050B246C336E856EBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E21A0, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e026b14357d4b0474ac72c0eae8c2b9bee9ba694c969be546cfbe04c74904fd
                                                            • Instruction ID: 8d655eda568cb142d41da3cdecfd04f3ea3e78a62e3924d90149ed6029a29646
                                                            • Opcode Fuzzy Hash: 4e026b14357d4b0474ac72c0eae8c2b9bee9ba694c969be546cfbe04c74904fd
                                                            • Instruction Fuzzy Hash: E3210175B102148FCB08EB78C8559AEBBFAEF89210F0944A9E505EB390CF719C41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E9450, Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a20453e5b2dc0e54597a01991087b5dd41181d6e8b7cf5c7b9f718e0fa4d70c5
                                                            • Instruction ID: d39449ea361595c3b9ef95b415e139762da0b4c2fa8f13afdd39bd43b4f77a77
                                                            • Opcode Fuzzy Hash: a20453e5b2dc0e54597a01991087b5dd41181d6e8b7cf5c7b9f718e0fa4d70c5
                                                            • Instruction Fuzzy Hash: 4D310332D10B0EDECB01EFA8C854499F7B1FF95304B118B5AE95967121FB30E695CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FAD01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413724672.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_fad000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ded5b340f2719124af09c08271fdd11815233a13abf51ce75ccef675b1e4ce9b
                                                            • Instruction ID: 6ca2cdfdff14c3ef64da23f81b27e1e640c61cd1f2bd18773cc63742c454fea7
                                                            • Opcode Fuzzy Hash: ded5b340f2719124af09c08271fdd11815233a13abf51ce75ccef675b1e4ce9b
                                                            • Instruction Fuzzy Hash: 3D2122B2A04300DFCB14DF20D9C0B16BB61FB89328F24C569D80A4B68AC73BD846DB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FAD1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413724672.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_fad000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44c55f37ce85ab23f54f0e6c905e7c7b38fa42c476209625a65b4840a74539b9
                                                            • Instruction ID: e1e53ab15dae632bd5b4d824b1897b30f161c297b14629d11ef067cb66cb4952
                                                            • Opcode Fuzzy Hash: 44c55f37ce85ab23f54f0e6c905e7c7b38fa42c476209625a65b4840a74539b9
                                                            • Instruction Fuzzy Hash: 102107B1904304EFDB05DF10D9C0B26BBA5FB89328F24C57DD80A4B681C73AE846DB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED498, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b26f7a2830a43e501cef8c420b10cb7fb473f5f498c77521f21969a760de260f
                                                            • Instruction ID: 8755952eb2b266a9a56cec7ea040b41c94a416cefba74fcd68cbe9f554a4bc0c
                                                            • Opcode Fuzzy Hash: b26f7a2830a43e501cef8c420b10cb7fb473f5f498c77521f21969a760de260f
                                                            • Instruction Fuzzy Hash: E521CC303146208FCB54EB3DD454A29B3E6AF85619B15896DE506CF3A5DFB1EC42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED488, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5797224fa8039e6f7be421f35d8218bd32916a5f3ec2af5c0165b0d96385f8f0
                                                            • Instruction ID: c234732896c01b9ad1cfe5e19c5dcf2482863ccdae6a15233a3221cd9a67558e
                                                            • Opcode Fuzzy Hash: 5797224fa8039e6f7be421f35d8218bd32916a5f3ec2af5c0165b0d96385f8f0
                                                            • Instruction Fuzzy Hash: 79214C303046208FCB19DB38D454A2977E6BF9661971588AEE506CF3B1DFB2EC02CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED1C0, Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b54d49cc3d7b7312bb5fc1bb8fbb1b5842790ef95654721ab7e26ab33ea82460
                                                            • Instruction ID: 3ccaade219d2f3c5e4d43952968d8d181df10d49cf10ba71c2ff53ab15e04796
                                                            • Opcode Fuzzy Hash: b54d49cc3d7b7312bb5fc1bb8fbb1b5842790ef95654721ab7e26ab33ea82460
                                                            • Instruction Fuzzy Hash: 20117531F0062A8BDB10EAA994416BEF7F6FFC4610F14892ED515A7280DB74D90147D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E263C, Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16dd70ab2cd9487422a221f354a2b91501d5ba73dff820dd1c009b88ebb03e56
                                                            • Instruction ID: 35dfce0ee53577fa86f375cfe616168464764cb2d6647c588f1fb337ef68a057
                                                            • Opcode Fuzzy Hash: 16dd70ab2cd9487422a221f354a2b91501d5ba73dff820dd1c009b88ebb03e56
                                                            • Instruction Fuzzy Hash: 1531C0B0D012589FDB20CF99C988B8EBBF5EB48354F24802AE405BB290C7B55845CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E71AC, Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b172c05194a271ca989b913795800a58c13005fd612242d9833a857941c3635b
                                                            • Instruction ID: 05c4c12216b00d6869f2a7932b538bd54e3eeadd046be5a1a8a2885a361775e2
                                                            • Opcode Fuzzy Hash: b172c05194a271ca989b913795800a58c13005fd612242d9833a857941c3635b
                                                            • Instruction Fuzzy Hash: 1031C0B1C012589FDB20CF99C989BCEBBF4FB48354F24802AE404BB280D7B55985CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED1B0, Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edf0265b20ebc1c11e8eac1c0d26ce971e358c67ec2f052e64a7eaa61cabbaf7
                                                            • Instruction ID: 848e14c724c4275ca4e46407e977068e13b9e0bf184c796f6da02af56fc28049
                                                            • Opcode Fuzzy Hash: edf0265b20ebc1c11e8eac1c0d26ce971e358c67ec2f052e64a7eaa61cabbaf7
                                                            • Instruction Fuzzy Hash: 1911B232B006264BDB20AEA998417AFB7F6FBC4610F04492AD515E7280D674D90247D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E248F, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e87cbddac2ae8a956ad01fdebc86bc52f4ae6d4900d31d3a24a7b5bb54ea6cff
                                                            • Instruction ID: dd662a09fb0a43c913e44c3e998f42b4d4f8b74df3a7f5ac73991a0c49df0550
                                                            • Opcode Fuzzy Hash: e87cbddac2ae8a956ad01fdebc86bc52f4ae6d4900d31d3a24a7b5bb54ea6cff
                                                            • Instruction Fuzzy Hash: 5111C876B002554B8B25DB798C4457FBBFBFFC42607148A29E419D7380DF709D058761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FAD005, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413724672.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_fad000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2d55aeed172376a34f2eadabac28623e051671cd425b58162556c51a656d3b2
                                                            • Instruction ID: 50c7eab7d57f43131c0c0cd3d60d59df29a16a456fab1a71fab7074159865f36
                                                            • Opcode Fuzzy Hash: f2d55aeed172376a34f2eadabac28623e051671cd425b58162556c51a656d3b2
                                                            • Instruction Fuzzy Hash: 6C2150755093C08FCB12CF24D994715BF71EB46324F28C5EAD8498B697C33A984ADB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E21C8, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15db77855a5cca08a4e28c08fa7940a01eeef92f48910bbe960067400e00113e
                                                            • Instruction ID: b0e8a06cdcf9cf32a53788927dbf5c2e353b6843491ca7663bceff8ad735afd5
                                                            • Opcode Fuzzy Hash: 15db77855a5cca08a4e28c08fa7940a01eeef92f48910bbe960067400e00113e
                                                            • Instruction Fuzzy Hash: 0811DD74B102149FC709EB38C4589AEBBFAEF89210F0984ADE402AB391CA719C45CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E20F4, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 38fb2ec5a5b71cbd5a839a4e7785748d9ada1f056c577d77bc282813e83900b5
                                                            • Instruction ID: e7ea88a5f292dbfa60da2230f61c4de4e0aa28deafc9a1932121c0b72a5800c3
                                                            • Opcode Fuzzy Hash: 38fb2ec5a5b71cbd5a839a4e7785748d9ada1f056c577d77bc282813e83900b5
                                                            • Instruction Fuzzy Hash: 9411E274B14215CFCB05FB24C85896FBFFAEF49210F1548AAE401AB392CA35DC01CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6FF7, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e90a703b149ab856280a68e2b483078edda69d0d31ab034ca7e4bb54395134c6
                                                            • Instruction ID: 322b3e9046cb35e5e81b7ea1e12cc25e44638a9c215a21b8503b0a3bcc53d0c1
                                                            • Opcode Fuzzy Hash: e90a703b149ab856280a68e2b483078edda69d0d31ab034ca7e4bb54395134c6
                                                            • Instruction Fuzzy Hash: B511C176A003554F8B22EA798C449BFBBFBFFC52607148529E459D7380EF709D068761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECA80, Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c16afc0d8df4bd7d66d7f8df366d12000ac651c166ef3bf49af07f9ab4a05da3
                                                            • Instruction ID: bb733cac9ff7287513869ab8b0e7c6e18ae532257fe7c33931534c19abacac54
                                                            • Opcode Fuzzy Hash: c16afc0d8df4bd7d66d7f8df366d12000ac651c166ef3bf49af07f9ab4a05da3
                                                            • Instruction Fuzzy Hash: 10214931A10719CFC728EB78C554BAAB3F3FF85305F00496DD16A5B2A1DB71AA41CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EDAF8, Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b80fb1b407bb01a846f5bdd552aa4aa5370afd09db438e3325f3039936908985
                                                            • Instruction ID: 3f92c2556141ab94a87ca598c97e24248af7a627cf56e50620c450c459eb0bb5
                                                            • Opcode Fuzzy Hash: b80fb1b407bb01a846f5bdd552aa4aa5370afd09db438e3325f3039936908985
                                                            • Instruction Fuzzy Hash: BE217C31A10719CFC728EB78C555BEAB3F3BF84305F00486DC16A5B2A1DB71A982CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6F28, Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cd35b118417f359e1782a26eb2d4010bb2ade4a205f484f8c122f00a15870ef
                                                            • Instruction ID: c7fc6cee23e3f019d79b3e95c354039b1d6ec32433128f4cf7fc645625a86829
                                                            • Opcode Fuzzy Hash: 8cd35b118417f359e1782a26eb2d4010bb2ade4a205f484f8c122f00a15870ef
                                                            • Instruction Fuzzy Hash: 44117735B002298F8B14EBF895116FEB7FAAF99254B100479D505EB380EF329D528BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F9D4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413653691.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_f9d000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction ID: 9879b02f142e362fd6c1f8b91669c1f11814ef167cbd5753abdc22663c4bd6a0
                                                            • Opcode Fuzzy Hash: 02300354f26ebcfd8d1f5fee0bd3ff538f9c080a3beecbef12d4a17bc3822e08
                                                            • Instruction Fuzzy Hash: 2511AF76804280CFDF15CF10D9C4B16BF71FB84328F3886A9D8454B616C336D856DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EC520, Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6904298ebdd5f367e0ed44856736634a372d108b48779024db035e5d908df57c
                                                            • Instruction ID: 8b76c841d529a9d15068afbf9e003f37a8cbbd4b2b983738c3f6477d1b8f9087
                                                            • Opcode Fuzzy Hash: 6904298ebdd5f367e0ed44856736634a372d108b48779024db035e5d908df57c
                                                            • Instruction Fuzzy Hash: 47117C71F0061A9BCB14DBA9D91A7BEBBF2FF88210F144469D515E3380DB74AE028BD5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FAD1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413724672.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_fad000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction ID: fa9fefef5029f648ef51254b330cf383d9a9c75425e1c16c522713ca49f0089d
                                                            • Opcode Fuzzy Hash: 3a6eb60a70ec0ca554554800ef63ac3af12c64d97730370158fb293fa66ec475
                                                            • Instruction Fuzzy Hash: D6118EB5904280DFCB15CF10D9C4B15BBB1FB85324F24C6ADD8494B656C33AD85ADB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECD49, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1ec58fea393076550aac2264368335207db989549180c6c2ac008609a6353822
                                                            • Instruction ID: dd03e9a7e4dac333c83baff7d7829e387cac4b63afdcbefb1f5b6fd651bcaa51
                                                            • Opcode Fuzzy Hash: 1ec58fea393076550aac2264368335207db989549180c6c2ac008609a6353822
                                                            • Instruction Fuzzy Hash: BB01A7723046345BD324DA6EEC41B9BB7DDEFC4664704453AE90DC7750E671EC418694
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6E40, Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8ba782c0b867828381cb49d5468e275ecb7b970d7f765478b957c99c349ae438
                                                            • Instruction ID: 76b0f0daf20169410e2823600808bf87e633c25cf5dcc45a4109e4237b092b4c
                                                            • Opcode Fuzzy Hash: 8ba782c0b867828381cb49d5468e275ecb7b970d7f765478b957c99c349ae438
                                                            • Instruction Fuzzy Hash: 3701F9767401081FD714D6799CA1B6A628BDBC8214F254138E10ADF7D4DE20AC4252A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EC530, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe50a876716ebbf9cd93e5e8cffd82f5dc20c0e195efc3d6adf62b1b97138f3d
                                                            • Instruction ID: c1c3717fa285737d440ebc28839f741eafb1385f3c7fbd01d829c036a45e5a14
                                                            • Opcode Fuzzy Hash: fe50a876716ebbf9cd93e5e8cffd82f5dc20c0e195efc3d6adf62b1b97138f3d
                                                            • Instruction Fuzzy Hash: A9015B71F0051A9BCB14DF99D919ABEBBF6FF88210F044469D519E3380DB74AA028FD5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1668, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e4d92f7793255862f4c2af1130c2b728387c783681017b26b9a76ef9ef60056
                                                            • Instruction ID: f11de8a0d895b7e20b50eacdbc22c42219f430b9b7cd5dc16026af856496927b
                                                            • Opcode Fuzzy Hash: 4e4d92f7793255862f4c2af1130c2b728387c783681017b26b9a76ef9ef60056
                                                            • Instruction Fuzzy Hash: 031125B5900218CFCB10DFA9D445BDEBBF8EB48364F14842AD819A7740D774A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6E50, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c233d3d33fb948df9d75a13b7177edf9dc18a5caecf20f7883cc9a299e920a83
                                                            • Instruction ID: c17bd43f1394674a4b1f8d44c26373f6639d2765fbe09df9df18b317f96e0d90
                                                            • Opcode Fuzzy Hash: c233d3d33fb948df9d75a13b7177edf9dc18a5caecf20f7883cc9a299e920a83
                                                            • Instruction Fuzzy Hash: 29F0C8317442081FD328E67A9CA0F6B719BDBC9754F244138A10ACF3D5DE60AC4142A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F9D731, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413653691.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_f9d000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3173860006e769813601b50758a8571f096879cf53bce9d8c2f81c26188f9b64
                                                            • Instruction ID: 15a9690db71ae451f349489586994e1b00c3e76fb89fcbec4cd83b0a5892b74c
                                                            • Opcode Fuzzy Hash: 3173860006e769813601b50758a8571f096879cf53bce9d8c2f81c26188f9b64
                                                            • Instruction Fuzzy Hash: 2801F7728083449AFF108A65CDC4B66BBD8EF453B8F38C42AED041A686D7789840D6B3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1670, Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e71a1258e3fe6e7ad2a99dd7e6ab0138e5820411d4033d612870f2e2dad222d7
                                                            • Instruction ID: 6a298c7b18bc005245e465faf72acf2ddc7475f6e3103900a7c5b1af91ab00c9
                                                            • Opcode Fuzzy Hash: e71a1258e3fe6e7ad2a99dd7e6ab0138e5820411d4033d612870f2e2dad222d7
                                                            • Instruction Fuzzy Hash: 8C1103B59002188FCB10DF99D484BDEBBF4EB49364F14842AD869A7740D778A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED121, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c5d9fd5461fa92c148d8a921b7c2c87348e409e96bfd65865c5ced8df566ad10
                                                            • Instruction ID: ed2f9d1250240a2cdefaa0a725c3daf874a3984053742e8c475032be65c49c9e
                                                            • Opcode Fuzzy Hash: c5d9fd5461fa92c148d8a921b7c2c87348e409e96bfd65865c5ced8df566ad10
                                                            • Instruction Fuzzy Hash: 870131357511148FD704DB2DD858FAA77E9EFC8A25F1981BAE509C7361DE60DC018BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E08BB, Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17ae89bfa9753d47a901cbe34a86a6c94cee8659ed6cfb3ac54d1f6c2f7b5377
                                                            • Instruction ID: 1d19ab2dd82ecced58ea29cbb978e2bf0d8d596934bd1e33b21d0013f90240ea
                                                            • Opcode Fuzzy Hash: 17ae89bfa9753d47a901cbe34a86a6c94cee8659ed6cfb3ac54d1f6c2f7b5377
                                                            • Instruction Fuzzy Hash: 81F09C75B001299B8F1AA6A45C985BEBBF6EBC4520B100029E605A73C0DE754D11C7D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EE9E0, Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc2efc2f484d79e16389575bbe456ebe32ad9bfdc82043f379505b972d128de9
                                                            • Instruction ID: 19c8d6c1270d228c9b21a3b8227aae9f00eace389f990b6f6cf2799f633c3b0c
                                                            • Opcode Fuzzy Hash: cc2efc2f484d79e16389575bbe456ebe32ad9bfdc82043f379505b972d128de9
                                                            • Instruction Fuzzy Hash: 9401C8719102199FCB40EFACC5459DEBBF4FF49210F10859BE458E7321EB709A408B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E08C0, Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f979234e6c13c0aa558e7bd20ddbad8f0975530a7077ebfc272902dba480541e
                                                            • Instruction ID: ce0fa288b964a971a40cb52af49ea3b911d44c06419222998246fd53e892e2ca
                                                            • Opcode Fuzzy Hash: f979234e6c13c0aa558e7bd20ddbad8f0975530a7077ebfc272902dba480541e
                                                            • Instruction Fuzzy Hash: 68F05B75B001299B8F1EB7A55C985BEBBFAEBC8620B100029E615A73C0DE754E11C7E6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7608, Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b37313db965700c3fdb0f4b0b9fa267bf9e81499c182835cbf4851ce6d1d9d50
                                                            • Instruction ID: a82b78f0ba9157401e3c07e83d5132d461476387e6314d73f5b1b155939ee561
                                                            • Opcode Fuzzy Hash: b37313db965700c3fdb0f4b0b9fa267bf9e81499c182835cbf4851ce6d1d9d50
                                                            • Instruction Fuzzy Hash: 01F05E7A7001285FD314D75EEC95DA7BBE9EFC82747544036F508D7311DA309D0486B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E756C, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 236bc0f4d8ae6d876ebc504a913f47c0fcaf4430aad8bc8c565e490f5cc901d8
                                                            • Instruction ID: f131867eb05354709dc237ea1096c7dec3408e69336c76f4c45939c5fba29dfc
                                                            • Opcode Fuzzy Hash: 236bc0f4d8ae6d876ebc504a913f47c0fcaf4430aad8bc8c565e490f5cc901d8
                                                            • Instruction Fuzzy Hash: AB011AB1800269DFEB14CF69C8453EE7BF1FB48320F148625E424AA2D0D7744A46CFD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E0DD0, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb9f9ab3055bf2a86b177f827db2b7be3e7e32e18c9cf0103a80e05f57d26324
                                                            • Instruction ID: a7ae6ecaf09e5bffa6e03509a5c7b93ac7ee6efeded9e04db847f510bbc8aca6
                                                            • Opcode Fuzzy Hash: fb9f9ab3055bf2a86b177f827db2b7be3e7e32e18c9cf0103a80e05f57d26324
                                                            • Instruction Fuzzy Hash: 29F0F634B0016997C718BA688466AAFB7FB9F84204F400C6EE506AB7C4CEB92E0087D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E2120, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe2cb55b7b7629123161ec05793768391a763da3f4adad329137444fc6f95bb8
                                                            • Instruction ID: 344025b579a6ab9b60b790d068fba91527dc7a9910432fe416f7759775fe83cc
                                                            • Opcode Fuzzy Hash: fe2cb55b7b7629123161ec05793768391a763da3f4adad329137444fc6f95bb8
                                                            • Instruction Fuzzy Hash: B4F04C35A001658BCB18BB74C5223AE77B69F88208F14085ED106BB784CFB91D11DBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1078, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fd4fb6f7d8c2395756b07cd89907c3c8a9ea12be1fef68602a137589baccdb6
                                                            • Instruction ID: 9e5a2900f8519768e46def871cd154b0920e93ab75d2ac32a1f3824ca8502601
                                                            • Opcode Fuzzy Hash: 0fd4fb6f7d8c2395756b07cd89907c3c8a9ea12be1fef68602a137589baccdb6
                                                            • Instruction Fuzzy Hash: 2EF0B431B052581FCB19EBB5CC5A46F7FFA9F85214F1480BAD009CB681EE709C058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F9D730, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.413653691.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_f9d000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e68e35098c3bd180fc5e822994bd58c6f93790ed7f55d6002f1953c2d19b779
                                                            • Instruction ID: 409ce8c79d576d969c0da1d9b399177a8a46e5150b6f1cf58d93f6a3b56ee4d2
                                                            • Opcode Fuzzy Hash: 7e68e35098c3bd180fc5e822994bd58c6f93790ed7f55d6002f1953c2d19b779
                                                            • Instruction Fuzzy Hash: 87F062724043449AFB148A15CDC4B62FF98EB91778F28C56AED085B686C3789C44CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EB2BF, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0dbbc4e35c4653d1ac512ca7711dcb5ec4b1eef069d75c67f47b9aaef6d7da29
                                                            • Instruction ID: ad656149ff92c6a3e0f62a24944d15a38bedc6386ee0003c8eca98e3f70ea6b7
                                                            • Opcode Fuzzy Hash: 0dbbc4e35c4653d1ac512ca7711dcb5ec4b1eef069d75c67f47b9aaef6d7da29
                                                            • Instruction Fuzzy Hash: CEF0E93311D2A45FD3168669DC533D17BA5EF43258B0A05EBC080DB2A2D955D9068795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7578, Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e1f627a988349c453dead452514ee127b39675c024e884a283481da32525308
                                                            • Instruction ID: 35e1e4b0fc15caed7b8320434fd2710dbc2fe04582471616303928003dd0a371
                                                            • Opcode Fuzzy Hash: 8e1f627a988349c453dead452514ee127b39675c024e884a283481da32525308
                                                            • Instruction Fuzzy Hash: 2801BB70804269DFDB14DF6AC8087AEBBF5FF48354F148625E825AA2D0DBB44A45CFD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E67C0, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3759df4eb0bd27222f58f9b0f3d8edd000870b3d094006de30ced19071d6fb85
                                                            • Instruction ID: 8ba74357ca907bfc620e8c0079a29a6f2eb549be801d7157f7d2bc8913e2cf07
                                                            • Opcode Fuzzy Hash: 3759df4eb0bd27222f58f9b0f3d8edd000870b3d094006de30ced19071d6fb85
                                                            • Instruction Fuzzy Hash: F5E06D72B052151BA32016BB6C896377ACEEBC8630B18423AF409C3290EE618C0596B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EE9F0, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
                                                            • Instruction ID: b105c5b1868ae04cfa1ddd1b704dd66ce8f7e3962ddbf292189fdf1a2f6bd757
                                                            • Opcode Fuzzy Hash: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
                                                            • Instruction Fuzzy Hash: 4E01B675D10609DFCB40EFACC54489DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7618, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb8098f64f274ad60e94e55b7b2f73d1c2299113c74e10c99a755aadb03a72ec
                                                            • Instruction ID: 7ee3ed7cd8cdd8bb4abfe0740c38e6f9fff81ed0b633cf97773d2afe5d1e1a52
                                                            • Opcode Fuzzy Hash: cb8098f64f274ad60e94e55b7b2f73d1c2299113c74e10c99a755aadb03a72ec
                                                            • Instruction Fuzzy Hash: 47E06D72B042286F5314DB6EDC84C6BBBEEEBCD674351813AF50CC7310DA309D0086A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E2E1B, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86e21b11138a5225cfc085cc8c0e5e18b963e63d02e48b2b4ddabaf6ca16916f
                                                            • Instruction ID: 87187ca43d88b945e5f8bf932bfa1b79aa53c5acf37cd3590cc2be12b861bf6d
                                                            • Opcode Fuzzy Hash: 86e21b11138a5225cfc085cc8c0e5e18b963e63d02e48b2b4ddabaf6ca16916f
                                                            • Instruction Fuzzy Hash: 6FF0E23A6002349FD7209B55D808F73B7EDFBC4320F0A8425E85ADB780C7A0E880CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EB31C, Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10a6f66af47db5a7e05584f7e52fb347eebc52f6b4e60031229afd1656f83f7c
                                                            • Instruction ID: 5f9be2f328876b394c288c11ab1e458de67b651e3d88dfc8b96ab25532f8617c
                                                            • Opcode Fuzzy Hash: 10a6f66af47db5a7e05584f7e52fb347eebc52f6b4e60031229afd1656f83f7c
                                                            • Instruction Fuzzy Hash: 8CF02B1220D7E46FC31352B99C66361BFE8DE4304974D05DFD0C1CB193D948D4028391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ECD58, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef3dc51f14cb3e2a76e647bfb0778124d889c802f6ab75f0400a7cc893f4b5be
                                                            • Instruction ID: cdb71cee1379154ec51fac6915f9421a48c1c94491ea38f5172e5ae490d87204
                                                            • Opcode Fuzzy Hash: ef3dc51f14cb3e2a76e647bfb0778124d889c802f6ab75f0400a7cc893f4b5be
                                                            • Instruction Fuzzy Hash: B5E09271B10A254BDB08EBAEA40086BF6DBAFC8614318C17FD80DCB724ED719D014A88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E0DB0, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f46f42da5dce783b6e53e8169afb4d35076badfd56d13db8ae9e5bdba1f29f69
                                                            • Instruction ID: 8a2fa9a15b6b361779cd3a897aca31026bf1d1d63221cb1fbadb2e2836a9debe
                                                            • Opcode Fuzzy Hash: f46f42da5dce783b6e53e8169afb4d35076badfd56d13db8ae9e5bdba1f29f69
                                                            • Instruction Fuzzy Hash: 03F0A030209319CFC315AB39C4544367BE5BA4220431489AED009DB792CA35E844CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E67D0, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca49cabf9d63ce08d29b536cadfae9b32cb19485b09c97d8e8a3c5d37665fc5a
                                                            • Instruction ID: 001899cce82407263c564018c095ad2b408c50141dc349c78f8f6c1c5074bbf0
                                                            • Opcode Fuzzy Hash: ca49cabf9d63ce08d29b536cadfae9b32cb19485b09c97d8e8a3c5d37665fc5a
                                                            • Instruction Fuzzy Hash: 72E0C232B052241B272412EF2C9943BBACEEBCD230314413AF50DC3380EDA18C0692B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E88B0, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92790de14feb08d7bc7a8aed53c59ee7d59cf3e2edd93f4b28264db2583acb3d
                                                            • Instruction ID: 780faf4f3f6e497c1bd0ee4f745883d670d389febdbaadadcb90208bb49ad4a1
                                                            • Opcode Fuzzy Hash: 92790de14feb08d7bc7a8aed53c59ee7d59cf3e2edd93f4b28264db2583acb3d
                                                            • Instruction Fuzzy Hash: F3E09233A50538C7C300DB58F4815B5B7E9F7446693188597ED0DCAA10D373D866D7D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7661, Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79fc1fa984383ef0cd0bad4444833b34e04e870caff99b7e27bbfad9e7d06b8b
                                                            • Instruction ID: 40b6cb13603a8afd198bebde6ce29f2b7d78688b208a5d1ebfc889d961e29481
                                                            • Opcode Fuzzy Hash: 79fc1fa984383ef0cd0bad4444833b34e04e870caff99b7e27bbfad9e7d06b8b
                                                            • Instruction Fuzzy Hash: BBE04F3B2405515BC310960DE845FC6FBA9DF89630F558066F649C73A1DA60E841C6A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1C88, Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 235e5d7f13cb6e85f1b737547d2e781c0acdd39919aaa6a628edd2aae481eb38
                                                            • Instruction ID: a6e87e88fbdcdff8d13b39cdf9ebda31bfc6837d6026b125826e1bfc47ac703f
                                                            • Opcode Fuzzy Hash: 235e5d7f13cb6e85f1b737547d2e781c0acdd39919aaa6a628edd2aae481eb38
                                                            • Instruction Fuzzy Hash: 60E0867660121887CB10B7B5D9447767FD9DF86654F000524C0148F7C5DB7AAC5087A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED560, Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07fa0f0e1d41a31033eb7730789e08cc684a6ff24fae9dd94124722bead86187
                                                            • Instruction ID: f70a6029d9ed4fe6818c86956ef1ebc25f4669bbadf11b65d4e73808d23ebcb7
                                                            • Opcode Fuzzy Hash: 07fa0f0e1d41a31033eb7730789e08cc684a6ff24fae9dd94124722bead86187
                                                            • Instruction Fuzzy Hash: DEE017373508249FC700AA5CE855ADABBEAEF58635B248067F945C73A1DB61DC0086E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EB2F0, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94ae050b8a15a95f7e672c3dc660f4f8b7e1bb8c1eea4c092f75962bfd42b8c6
                                                            • Instruction ID: 4e6a00a5915a4438813ec78a19de2f78f05431cb0d722fe818a83a15160d0c99
                                                            • Opcode Fuzzy Hash: 94ae050b8a15a95f7e672c3dc660f4f8b7e1bb8c1eea4c092f75962bfd42b8c6
                                                            • Instruction Fuzzy Hash: E3D0A733344238CF4B1537B4781966D73CDAF84566300007EE50EC3650DF61880253C4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E1CD8, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0a630b25b412eecd1465e8af18605de25e104de687eba4cd1ededd7a3df51cb
                                                            • Instruction ID: 6edb458132723dc29c949f07446cca39f022929ab68693d3db68737fa83a244f
                                                            • Opcode Fuzzy Hash: d0a630b25b412eecd1465e8af18605de25e104de687eba4cd1ededd7a3df51cb
                                                            • Instruction Fuzzy Hash: 9EE04671B01321CFC358AFB8D08462637E2AB80315B14C67EC41A9B760CB76E881CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E7670, Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9101dc6e2a51d4cad5c7440870dbc4bfb16063e74de0ba875f9b38c01ef521b8
                                                            • Instruction ID: 3c5d1b2da0752757679b892573d19ac8bbc96e5e693f66b2f9365819e541f542
                                                            • Opcode Fuzzy Hash: 9101dc6e2a51d4cad5c7440870dbc4bfb16063e74de0ba875f9b38c01ef521b8
                                                            • Instruction Fuzzy Hash: 68D012363405149FC3149A4AD808D46BBA9DFC9731B158066F609C7370CA71EC01C794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EACF8, Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c824275c34af8f0d4b4a7b0f67143125189089ae1e53eecc5a12168b6f155bec
                                                            • Instruction ID: 6a75e5da826a7c119624175854b4b6a78b83bed5c3007fe491ab91e60ca1d715
                                                            • Opcode Fuzzy Hash: c824275c34af8f0d4b4a7b0f67143125189089ae1e53eecc5a12168b6f155bec
                                                            • Instruction Fuzzy Hash: 09E04F711456855FC702CF30C955D973FA1AF06201B09849AF5898B673C230D564D722
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EAED3, Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f56e50ab86a644c142f8997f652952751d6869024f3b934d3fe5eef1b9f1cc8f
                                                            • Instruction ID: 13f0c16ddc78ae87e9a7e794a463da945354340e1273ded66c48dccd655adbeb
                                                            • Opcode Fuzzy Hash: f56e50ab86a644c142f8997f652952751d6869024f3b934d3fe5eef1b9f1cc8f
                                                            • Instruction Fuzzy Hash: F7E04F36A0110DEBCF01DF80E844BDEBB72FF88314F204011FA1127290C3324A21DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053ED570, Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36ad5f6053c834e6a65c1473399e907d5d14ac510b0ae79b45fffe7ead3b5378
                                                            • Instruction ID: 061c462405c8803484aed1c0be964228dc83a1c00c77a6a08eadf061398dc0ab
                                                            • Opcode Fuzzy Hash: 36ad5f6053c834e6a65c1473399e907d5d14ac510b0ae79b45fffe7ead3b5378
                                                            • Instruction Fuzzy Hash: 65D0C9363105249F8704AB68E508CA97BEAEB5D66131180A6F909C7361CF71DC109BD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6EF0, Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e61948b95b8823daefbf618cd4fc5394639a5335fcd52f3eaa05f67f5a9c34c6
                                                            • Instruction ID: 4ea7825ac64022069e0c533ce9416e0785a1ca48c8d78f8d670ffe5bd1e4bcae
                                                            • Opcode Fuzzy Hash: e61948b95b8823daefbf618cd4fc5394639a5335fcd52f3eaa05f67f5a9c34c6
                                                            • Instruction Fuzzy Hash: DDC08C3F0100145FC221E6C8E896FE2BBB8FF04238F548063F088E6420E224C0689B11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EAD08, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f412df58b1162d58c239ccc362c7d1db1b5979eef2ebe541bda376bc1fe5ec41
                                                            • Instruction ID: ce0e19a3d32d16bd03677d3bb2f906ec3caef425ca8f7169544ec8c961c0f2f3
                                                            • Opcode Fuzzy Hash: f412df58b1162d58c239ccc362c7d1db1b5979eef2ebe541bda376bc1fe5ec41
                                                            • Instruction Fuzzy Hash: ACD0C93610010CEFCB01CF95D944D9A3BBAFF48710F008054FA084B232C332E820EB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6720, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8fe14dc5cd39eefb69f3ea9e40eeee8013d7e0dc88b9b33ae7421c6c3382cfea
                                                            • Instruction ID: 51d1823baf13b51efc80e55cb04ad0eeb77ba22b7be1e239ba44f154b52d5887
                                                            • Opcode Fuzzy Hash: 8fe14dc5cd39eefb69f3ea9e40eeee8013d7e0dc88b9b33ae7421c6c3382cfea
                                                            • Instruction Fuzzy Hash: 23C08C320102089FD300EF39D88EF807BEEEF08714F684090E10897233D722E8048B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EB591, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 074405a647274be9a73e88da898f5c741cdad16b8be09eb04d27d77925186580
                                                            • Instruction ID: 7b59fda6ee50ff1208113af248489b3595292b01425b5b037bbbc627db0c6145
                                                            • Opcode Fuzzy Hash: 074405a647274be9a73e88da898f5c741cdad16b8be09eb04d27d77925186580
                                                            • Instruction Fuzzy Hash: 2FB0125B64047002E600F56E9CE17D311D39FC0027FCDC42141C0D8180DD18C4420075
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E67A0, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4390906556f68ccc5de6f0d0d3cda5e63dd28120971441c369d30dc522c998dc
                                                            • Instruction ID: 04c65c8618ea5d90b74ab6393ec858b810825df501ea6d9a645153097a5af156
                                                            • Opcode Fuzzy Hash: 4390906556f68ccc5de6f0d0d3cda5e63dd28120971441c369d30dc522c998dc
                                                            • Instruction Fuzzy Hash: 66C08C328222088AEB004B33740E3603B69E784110F48802AB04441890EF312040A712
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6E21, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d19e37669473b857fe151925178dc767f9f8cfafe1615945727f0286e895b3b7
                                                            • Instruction ID: eca7daa329e1e7f7ba58de3df834ba232cc59d1ba3fd49d63adc4862dc3f86e7
                                                            • Opcode Fuzzy Hash: d19e37669473b857fe151925178dc767f9f8cfafe1615945727f0286e895b3b7
                                                            • Instruction Fuzzy Hash: 7FC02B53601B0482E3102300EC07BA3BF4CC790724FC58081E0CDC01B1DE29D4118140
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E247C, Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16f463e70e463d1b705261b5d4b9aaaa92e088b4191f08b9abcc1240737b9d81
                                                            • Instruction ID: a823aebaea1905d20282ec7843250e5c917e05b473dac451432e738ebb5fdd4e
                                                            • Opcode Fuzzy Hash: 16f463e70e463d1b705261b5d4b9aaaa92e088b4191f08b9abcc1240737b9d81
                                                            • Instruction Fuzzy Hash: 59C09B3E1251159E4745F750C548D66B6FBFF557847408C52B14487071CF25D534DB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6780, Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c28a67e0cb21b12b717140bcedfbc99a956b9953291e6eb1927d417c4c21b32
                                                            • Instruction ID: b894b06e3e52cf25c46d3d692ae45d662f34181754ed291eda300989be2da365
                                                            • Opcode Fuzzy Hash: 3c28a67e0cb21b12b717140bcedfbc99a956b9953291e6eb1927d417c4c21b32
                                                            • Instruction Fuzzy Hash: 67C09B3284560CCFD3405B73781D7953B6CF745321F8C0666E44841410EB555554D755
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E4F7B, Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1aaeb5dc602126fd664e6ed9c08c4b58d5dd3742dc9d766503dffccf3a5e49c7
                                                            • Instruction ID: 891682c52decd249da01448d803898fd2382f5f07df3aa8096d709da807ec6eb
                                                            • Opcode Fuzzy Hash: 1aaeb5dc602126fd664e6ed9c08c4b58d5dd3742dc9d766503dffccf3a5e49c7
                                                            • Instruction Fuzzy Hash: CCC0C93094052ACFCB208B10C405AA877B6AB88300F21C5E4C10A67A90E6309D81AF20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E9FEC, Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05443f4fbe8a1cb7a86ce552d1c8ab652c9524218b87484640f0959452273e49
                                                            • Instruction ID: 79e03d3eb4cb403ce4267147adfb94f30bdacbc4a3983c624d4bbcea216cca51
                                                            • Opcode Fuzzy Hash: 05443f4fbe8a1cb7a86ce552d1c8ab652c9524218b87484640f0959452273e49
                                                            • Instruction Fuzzy Hash: 01B0113B2203328A2A00F23A88E8A3A80ABBBC02003C8CC002002A00C08E28A2030222
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053EAECA, Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                            • Instruction ID: 60f620e5195e4e3ef0976d95386648c3e9e886a4e1e234fa591abed6b4f5ed04
                                                            • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                            • Instruction Fuzzy Hash: 1EB09237A0401889DB008A84B4453EEF765E780325F104023C211534818372016496D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6730, Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
                                                            • Instruction ID: 7de4840db72a739a7296ecabbd3d178890c8b70a70b6a7fce96b4b1d731f9c0f
                                                            • Opcode Fuzzy Hash: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
                                                            • Instruction Fuzzy Hash: 6AB092341502088F82409B59D449C00BBE8AF08A243454090E1088B632C621F8008A40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E558F, Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0f03ee35d03d8834b9489bc2bf1a31d247b101b95117db37d944f86d56b4259
                                                            • Instruction ID: 2d32e24d62c5fff3b604c0ae01d591cb6cc8c01a8084e14b3efc5c16a13ab510
                                                            • Opcode Fuzzy Hash: c0f03ee35d03d8834b9489bc2bf1a31d247b101b95117db37d944f86d56b4259
                                                            • Instruction Fuzzy Hash: C3B09230D010688BEB20EB948550296BAE39B49320F14C1A9881D5B28ADA348F419BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E67B0, Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8162f451a48ac82aca2cf38a0bc3bd237cec4b1a48bf0912d46d25f0c24803e7
                                                            • Instruction ID: c75a10b85e2af3073dcf9872e2a34e05de4072b9f6b0a4b1ede8e6d23bccbed9
                                                            • Opcode Fuzzy Hash: 8162f451a48ac82aca2cf38a0bc3bd237cec4b1a48bf0912d46d25f0c24803e7
                                                            • Instruction Fuzzy Hash: DEA0223200030C838A002AB3380E0223B0EC2C8020B00C022B00C00082AE32A000B0A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6790, Relevance: .0, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a5a3743a8659b2b26b345bf0ee1d67799d4e6d7c73beaa53c9f0451042cbebf
                                                            • Instruction ID: 760071edb386443d63373444856dcfb6ba13e87254cb06c38c94fd532696e65f
                                                            • Opcode Fuzzy Hash: 2a5a3743a8659b2b26b345bf0ee1d67799d4e6d7c73beaa53c9f0451042cbebf
                                                            • Instruction Fuzzy Hash: 6390023205960C8B56502B96780E95A7B5CA585525FC400A2F50D415516F56A41495A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E6E30, Relevance: .0, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7153202ee4eba11fbebd7606aa6bf1e5b60957ed8a44f7462b425f9ee5d68915
                                                            • Instruction ID: 51a5bde418cc2329e0293ca3aa9b77425b669b69b1750d761e5d1cdd53584b3f
                                                            • Opcode Fuzzy Hash: 7153202ee4eba11fbebd7606aa6bf1e5b60957ed8a44f7462b425f9ee5d68915
                                                            • Instruction Fuzzy Hash: 06900272055A0C8B45503796780E965BB5C9584535BC04192F50D415526F66A41495A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E399C, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3205261536cf2bd238b0f35e36bade702b959b650db4753b8c9d20c1b2457844
                                                            • Instruction ID: e8b7a24a743fce978ee59c90deb763c9d9f119c526ae38007ffacfb8010099b1
                                                            • Opcode Fuzzy Hash: 3205261536cf2bd238b0f35e36bade702b959b650db4753b8c9d20c1b2457844
                                                            • Instruction Fuzzy Hash: 0DA00230649922DB4708A770556827C65FF56457463151F15E113919C0EB2019189622
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053E3991, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.417561316.00000000053E0000.00000040.00000001.sdmp, Offset: 053E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_53e0000_dhcpmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f6559075dd329838af26c26728b032ed8ac39d4c7887a6f4a0b27cffbe209b9
                                                            • Instruction ID: 43a6e4e12363b13f7ed74b46a8367b866820fbd3b09bbc905edd7254b2ce19d3
                                                            • Opcode Fuzzy Hash: 7f6559075dd329838af26c26728b032ed8ac39d4c7887a6f4a0b27cffbe209b9
                                                            • Instruction Fuzzy Hash: 24A00130949924CBC758EA5198686A876BAAB46705B101984E10B62E818B306D94EE65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028 Parent PID: 6384 NEW PRICE ENQUIRY FROM PHILLIPINES.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:9.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:88
                                                            Total number of Limit Nodes:8

                                                            Graph

                                                            execution_graph 14247 12392f0 14248 12392ff 14247->14248 14251 12393d9 14247->14251 14259 12393e8 14247->14259 14252 12393fb 14251->14252 14267 1238704 14251->14267 14255 1239413 14252->14255 14271 1239660 14252->14271 14254 123940b 14254->14255 14256 1239610 GetModuleHandleW 14254->14256 14255->14248 14257 123963d 14256->14257 14257->14248 14260 1238704 GetModuleHandleW 14259->14260 14261 12393fb 14260->14261 14262 1239413 14261->14262 14266 1239660 GetModuleHandleW 14261->14266 14262->14248 14263 123940b 14263->14262 14264 1239610 GetModuleHandleW 14263->14264 14265 123963d 14264->14265 14265->14248 14266->14263 14268 12395c8 GetModuleHandleW 14267->14268 14270 123963d 14268->14270 14270->14252 14272 1238704 GetModuleHandleW 14271->14272 14273 1239684 14272->14273 14273->14254 14274 123bd00 DuplicateHandle 14275 123bd96 14274->14275 14276 123fe40 SetWindowLongW 14277 123feac 14276->14277 14278 1239850 14279 1239892 14278->14279 14280 1239898 LoadLibraryExW 14278->14280 14279->14280 14281 12398c9 14280->14281 14282 123b6d0 GetCurrentProcess 14283 123b743 14282->14283 14284 123b74a GetCurrentThread 14282->14284 14283->14284 14285 123b780 14284->14285 14286 123b787 GetCurrentProcess 14284->14286 14285->14286 14287 123b7bd 14286->14287 14288 123b7e5 GetCurrentThreadId 14287->14288 14289 123b816 14288->14289 14290 1236758 14291 1236766 14290->14291 14293 1236344 14290->14293 14294 123634f 14293->14294 14297 1236394 14294->14297 14296 123688d 14296->14291 14298 123639f 14297->14298 14301 12363c4 14298->14301 14300 1236962 14300->14296 14302 12363cf 14301->14302 14305 12363f4 14302->14305 14304 1236a62 14304->14300 14307 12363ff 14305->14307 14306 12371bc 14306->14304 14307->14306 14309 123b406 14307->14309 14310 123b429 14309->14310 14311 123b44d 14310->14311 14314 123b5a9 14310->14314 14318 123b5b8 14310->14318 14311->14306 14316 123b5c5 14314->14316 14315 123b5ff 14315->14311 14316->14315 14322 123a0ec 14316->14322 14320 123b5c5 14318->14320 14319 123b5ff 14319->14311 14320->14319 14321 123a0ec 6 API calls 14320->14321 14321->14319 14323 123a0f7 14322->14323 14325 123c2f8 14323->14325 14326 123b904 14323->14326 14325->14325 14327 123b90f 14326->14327 14328 123c367 14327->14328 14329 12363f4 6 API calls 14327->14329 14336 123c3d1 14328->14336 14342 123c3e0 14328->14342 14329->14328 14330 123c375 14334 123e0f0 GetModuleHandleW GetModuleHandleW CreateWindowExW 14330->14334 14335 123e0d8 GetModuleHandleW GetModuleHandleW CreateWindowExW 14330->14335 14331 123c3a0 14331->14325 14334->14331 14335->14331 14337 123c40e 14336->14337 14339 123c437 14337->14339 14341 123c4df 14337->14341 14348 123b9a0 14337->14348 14340 123c4da KiUserCallbackDispatcher 14339->14340 14339->14341 14340->14341 14343 123c40e 14342->14343 14344 123b9a0 GetFocus 14343->14344 14345 123c437 14343->14345 14346 123c4df 14343->14346 14344->14345 14345->14346 14347 123c4da KiUserCallbackDispatcher 14345->14347 14347->14346 14349 123b9ab 14348->14349 14350 123ba14 GetFocus 14349->14350 14351 123c9f5 14349->14351 14350->14351 14351->14339

                                                            Executed Functions

                                                            Function 0123B6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0123B730
                                                            • GetCurrentThread.KERNEL32 ref: 0123B76D
                                                            • GetCurrentProcess.KERNEL32 ref: 0123B7AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0123B803
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 5b12df8329c8fce497459af3a652b2037db8fe9430e6a6b10139b509d35d12a0
                                                            • Instruction ID: 37b8bc70e6d484c6f0023d17bc4672ff2049ad166fc3ae0cf7be5d2fd01ce810
                                                            • Opcode Fuzzy Hash: 5b12df8329c8fce497459af3a652b2037db8fe9430e6a6b10139b509d35d12a0
                                                            • Instruction Fuzzy Hash: 835154B0D003498FDB14CFAAD5897DEBBF1EF89314F24846AE019A7391C7746886CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0123B730
                                                            • GetCurrentThread.KERNEL32 ref: 0123B76D
                                                            • GetCurrentProcess.KERNEL32 ref: 0123B7AA
                                                            • GetCurrentThreadId.KERNEL32 ref: 0123B803
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 5da3d45924a40b02724165f67af5b2729b5d914fcca6c66bdc76773598f1c354
                                                            • Instruction ID: 37c9d604ed0ed6132458a609ed0ad880803a265d96d75af9324575a878027216
                                                            • Opcode Fuzzy Hash: 5da3d45924a40b02724165f67af5b2729b5d914fcca6c66bdc76773598f1c354
                                                            • Instruction Fuzzy Hash: C85134B0D007098FDB14CFAAD549BDEBBF1EB88314F24846AE029A7390C7746885CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123FAA0, Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 38 123faa0-123fb88 39 123fb8a-123fbd8 call 123da04 38->39 40 123fbec-123fc5e 38->40 44 123fbdd-123fbde 39->44 42 123fc60-123fc66 40->42 43 123fc69-123fc70 40->43 42->43 45 123fc72-123fc78 43->45 46 123fc7b-123fd1a CreateWindowExW 43->46 45->46 48 123fd23-123fd5b 46->48 49 123fd1c-123fd22 46->49 53 123fd68 48->53 54 123fd5d-123fd60 48->54 49->48 55 123fd69 53->55 54->53 55->55
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0123FD0A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 24d10690970eee0fae3f345ca730c91cc4a3473cf7617ad8a0abd346773624b1
                                                            • Instruction ID: bce337e1d69b50e88fdc8444ebd5a14d32b44c5d9e9ccaedf7bd6e357a3ee8e7
                                                            • Opcode Fuzzy Hash: 24d10690970eee0fae3f345ca730c91cc4a3473cf7617ad8a0abd346773624b1
                                                            • Instruction Fuzzy Hash: 7B919D71C483C99FDF02DFA8C8A09DDBFB1EF4A210F1841AAE494AB262D7395456CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012393E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 56 12393e8-12393fd call 1238704 59 1239413-1239417 56->59 60 12393ff-123940d call 1239660 56->60 61 123942b-123946c 59->61 62 1239419-1239423 59->62 60->59 64 1239548-1239608 60->64 67 1239479-1239487 61->67 68 123946e-1239476 61->68 62->61 104 1239610-123963b GetModuleHandleW 64->104 105 123960a-123960d 64->105 70 12394ab-12394ad 67->70 71 1239489-123948e 67->71 68->67 72 12394b0-12394b7 70->72 73 1239490-1239497 call 1238710 71->73 74 1239499 71->74 75 12394c4-12394cb 72->75 76 12394b9-12394c1 72->76 79 123949b-12394a9 73->79 74->79 80 12394d8-12394e1 call 1238720 75->80 81 12394cd-12394d5 75->81 76->75 79->72 86 12394e3-12394eb 80->86 87 12394ee-12394f3 80->87 81->80 86->87 89 1239511-1239515 87->89 90 12394f5-12394fc 87->90 110 1239518 call 1239940 89->110 111 1239518 call 1239968 89->111 90->89 91 12394fe-123950e call 1238730 call 1238740 90->91 91->89 93 123951b-123951e 96 1239541-1239547 93->96 97 1239520-123953e 93->97 97->96 106 1239644-1239658 104->106 107 123963d-1239643 104->107 105->104 107->106 110->93 111->93
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 718cc4482065c0a31373f53667e6320187c26f45d60073c8a6b6bd2408eb324e
                                                            • Instruction ID: e2c5af52722b379bf843f8939df5a45d1c7c064ab8166ad7bb35ae1f74480ecb
                                                            • Opcode Fuzzy Hash: 718cc4482065c0a31373f53667e6320187c26f45d60073c8a6b6bd2408eb324e
                                                            • Instruction Fuzzy Hash: 387125B0A10B068FDB24DF2AD04166ABBF1FF89318F008A2DD59AD7A50D774E855CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 112 123fbf8-123fc5e 113 123fc60-123fc66 112->113 114 123fc69-123fc70 112->114 113->114 115 123fc72-123fc78 114->115 116 123fc7b-123fcb3 114->116 115->116 117 123fcbb-123fd1a CreateWindowExW 116->117 118 123fd23-123fd5b 117->118 119 123fd1c-123fd22 117->119 123 123fd68 118->123 124 123fd5d-123fd60 118->124 119->118 125 123fd69 123->125 124->123 125->125
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0123FD0A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: b58c95aac05dcb2cf6e3f741d7930f560ea5b02e4f5ce930fdf8b9402755644d
                                                            • Instruction ID: 1482dddacb6ee02e23daaff7f2507045458287c2df3768e6208dfe901ceb6fdd
                                                            • Opcode Fuzzy Hash: b58c95aac05dcb2cf6e3f741d7930f560ea5b02e4f5ce930fdf8b9402755644d
                                                            • Instruction Fuzzy Hash: 8141DEB1D10309DFDF14CF99D984ADEBBB5BF88314F24822AE819AB210D774A845CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 126 123bcf9-123bd94 DuplicateHandle 127 123bd96-123bd9c 126->127 128 123bd9d-123bdba 126->128 127->128
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0123BD87
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 8a5670af1d4d985b19d1bfc408a0e92d1fd473a38f4459e682a1eab5a4c7f31a
                                                            • Instruction ID: 7932222df48a589ff6c287d8cde8f31fe9af77bf60ff54ef8b38c23f90d29824
                                                            • Opcode Fuzzy Hash: 8a5670af1d4d985b19d1bfc408a0e92d1fd473a38f4459e682a1eab5a4c7f31a
                                                            • Instruction Fuzzy Hash: 3921D2B5D00248DFDB10CFA9D885AEEBBF4EB48324F14802AE955A3350D378A955CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 131 123bd00-123bd94 DuplicateHandle 132 123bd96-123bd9c 131->132 133 123bd9d-123bdba 131->133 132->133
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0123BD87
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 2e2a6acbf349dfd63ada5a75d0ae2fae85e0855e108c793cac45e78b26bbbc94
                                                            • Instruction ID: e886544d868e6188f1ba784832ab2b2c0de58f647e5429d3ce4b539afb38e53d
                                                            • Opcode Fuzzy Hash: 2e2a6acbf349dfd63ada5a75d0ae2fae85e0855e108c793cac45e78b26bbbc94
                                                            • Instruction Fuzzy Hash: 1821C4B5900309DFDB10CF99D885ADEBBF4EB48324F14842AE914A3350D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01239849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 136 1239849-1239890 137 1239892-1239895 136->137 138 1239898-12398c7 LoadLibraryExW 136->138 137->138 139 12398d0-12398ed 138->139 140 12398c9-12398cf 138->140 140->139
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 012398BA
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 14b8d1ebfa2322b9c42c8928de659b1c491726724aeeaf553c1481bbf31b8e32
                                                            • Instruction ID: d5ef1d6e48221ee3bf1c529127d108ea11e1ac79373808041dc05937ccc3982f
                                                            • Opcode Fuzzy Hash: 14b8d1ebfa2322b9c42c8928de659b1c491726724aeeaf553c1481bbf31b8e32
                                                            • Instruction Fuzzy Hash: 222122B2D002498FDB10CFAAC444ADEFBF4AB89364F14842ED425A7200C3B9A546CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01239850, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 143 1239850-1239890 144 1239892-1239895 143->144 145 1239898-12398c7 LoadLibraryExW 143->145 144->145 146 12398d0-12398ed 145->146 147 12398c9-12398cf 145->147 147->146
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 012398BA
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 5751634f91778a948fdfa1736d0c9f190217303eaedbc21f03c2225825758a6a
                                                            • Instruction ID: 5b45e4267f03b50f9b31df2ddd3a2a0612f396ffa1e3ad603757ee1644164a2f
                                                            • Opcode Fuzzy Hash: 5751634f91778a948fdfa1736d0c9f190217303eaedbc21f03c2225825758a6a
                                                            • Instruction Fuzzy Hash: 3F11D0B6D002098FDB14CF9AD844ADEFBF4EB89364F14842AD529A7600C3B9A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01238704, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 150 1238704-1239608 152 1239610-123963b GetModuleHandleW 150->152 153 123960a-123960d 150->153 154 1239644-1239658 152->154 155 123963d-1239643 152->155 153->152 155->154
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012393FB), ref: 0123962E
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: f618f760b6da6c96482966b38397b8221c59830e458f51e0ac665d8e0b9d2a5f
                                                            • Instruction ID: 82537ce055a179e9a0413a5e747ec30561b0bf6463351f5ca938b2c4bac2e290
                                                            • Opcode Fuzzy Hash: f618f760b6da6c96482966b38397b8221c59830e458f51e0ac665d8e0b9d2a5f
                                                            • Instruction Fuzzy Hash: EF11F3B1D006098FDB10CF9AD445BDEFBF4EB89328F10852AD529A7240C3B4A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 157 123fe38-123feaa SetWindowLongW 158 123feb3-123fec7 157->158 159 123feac-123feb2 157->159 159->158
                                                            APIs
                                                            • SetWindowLongW.USER32(?,?,?), ref: 0123FE9D
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID:
                                                            • API String ID: 1378638983-0
                                                            • Opcode ID: 4ed4fc76a7a20725bde401658d6a806ffef52d84017f4957674bccead34045e4
                                                            • Instruction ID: 8d48dc97fdf359459c59d4aa5118b9519807d06c84bec07d61c8af255a2d0dae
                                                            • Opcode Fuzzy Hash: 4ed4fc76a7a20725bde401658d6a806ffef52d84017f4957674bccead34045e4
                                                            • Instruction Fuzzy Hash: 6D1133B5D002498FDB10CF99D585BDEBBF4EB88364F14846AE854A3301C3B8A941CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0123FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 161 123fe40-123feaa SetWindowLongW 162 123feb3-123fec7 161->162 163 123feac-123feb2 161->163 163->162
                                                            APIs
                                                            • SetWindowLongW.USER32(?,?,?), ref: 0123FE9D
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.420759806.0000000001230000.00000040.00000001.sdmp, Offset: 01230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_1230000_NEW PRICE ENQUIRY FROM PHILLIPINES.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID:
                                                            • API String ID: 1378638983-0
                                                            • Opcode ID: 0e0486c3f7c19a88e48bcf1142596e5977dfb2a63f40932991112435859fc4d9
                                                            • Instruction ID: 2834551bdd660ca94f7f2fd0ce90d26ecc5314b59831a632562529df39920250
                                                            • Opcode Fuzzy Hash: 0e0486c3f7c19a88e48bcf1142596e5977dfb2a63f40932991112435859fc4d9
                                                            • Instruction Fuzzy Hash: EF1103B5C002098FDB10CF99D585BDFBBF8EB88324F10841AD914A3341C374A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions