Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5JbQqP8SDG.exe

Overview

General Information

Sample Name:5JbQqP8SDG.exe
Analysis ID:623788
MD5:250d122f4af32b52435a02787689ebbd
SHA1:39346c41bcb75109dac251320d4afea649538f85
SHA256:14f5c3ab5cbad5d2f6e751e8b3d42204460b8b10a38285623734d631a2ceda09
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 5JbQqP8SDG.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\5JbQqP8SDG.exe" MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 6368 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 5JbQqP8SDG.exe (PID: 4676 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
      • schtasks.exe (PID: 1408 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5564 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 5JbQqP8SDG.exe (PID: 5976 cmdline: C:\Users\user\Desktop\5JbQqP8SDG.exe 0 MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 4536 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 5JbQqP8SDG.exe (PID: 7040 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • dhcpmon.exe (PID: 6388 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 4176 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 4788 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • dhcpmon.exe (PID: 6700 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 250D122F4AF32B52435A02787689EBBD)
    • schtasks.exe (PID: 7052 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp58BF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 2260 cmdline: {path} MD5: 250D122F4AF32B52435A02787689EBBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 107 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40a6:$x1: NanoCore.ClientPluginHost
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40a6:$x2: NanoCore.ClientPluginHost
      • 0x4184:$s4: PipeCreated
      • 0x40c0:$s5: IClientLoggingHost
      6.2.5JbQqP8SDG.exe.2c55fe0.3.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x40f0:$x2: NanoCore.ClientPlugin
      • 0x40a6:$x3: NanoCore.ClientPluginHost
      • 0x4106:$i3: IClientNetwork
      • 0x40c0:$i6: IClientLoggingHost
      • 0x3e3f:$s1: ClientPlugin
      • 0x40f9:$s1: ClientPlugin
      11.2.5JbQqP8SDG.exe.37c1488.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.5JbQqP8SDG.exe.37c1488.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      Click to see the 117 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\5JbQqP8SDG.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 5JbQqP8SDG.exeVirustotal: Detection: 57%Perma Link
      Source: 5JbQqP8SDG.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\AppData\Roaming\GryVAO.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR
      Machine Learning detection for sample
      Source: 5JbQqP8SDG.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\GryVAO.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 5JbQqP8SDG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 5JbQqP8SDG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp

      Networking

      barindex
      Connects to many ports of the same IP (likely port scanning)
      Source: global trafficTCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421
      Uses dynamic DNS services
      Source: unknownDNS query: name: lowspeed121.ddns.net
      Source: global trafficTCP traffic: 192.168.2.5:49775 -> 185.19.85.175:50421
      Source: 5JbQqP8SDG.exe, 00000000.00000003.438967518.00000000013DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com=
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 5JbQqP8SDG.exe, 00000000.00000003.455928032.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.p
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 5JbQqP8SDG.exe, 00000000.00000003.444977276.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445248230.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445508362.0000000005ADD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comexc
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.co
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450491433.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450590496.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450679414.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaK
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaU
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko8
      Source: 5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf
      Source: 5JbQqP8SDG.exe, 00000000.00000003.448954375.0000000005AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comicTF
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comce
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comu
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.c
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn=
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-nFp0
      Source: 5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnsof
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 5JbQqP8SDG.exe, 00000000.00000003.454422256.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmc
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com=
      Source: 5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comK
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr%
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440416859.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440348993.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deX
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: lowspeed121.ddns.net
      Source: 5JbQqP8SDG.exe, 00000000.00000002.485929234.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: 01 00 00 00 Jump to behavior

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.5JbQqP8SDG.exe.2cc21a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 14.2.dhcpmon.exe.31921e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 11.2.5JbQqP8SDG.exe.26721a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5JbQqP8SDG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.5230000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.5400000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c55fe0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.5JbQqP8SDG.exe.2cc21a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.5JbQqP8SDG.exe.2c5ae40.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 14.2.dhcpmon.exe.31921e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 11.2.5JbQqP8SDG.exe.26721a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00792A9A0_2_00792A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2C0840_2_00F2C084
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2E3980_2_00F2E398
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 0_2_00F2E3880_2_00F2E388
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 6_2_007E2A9A6_2_007E2A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_001A2A9A11_2_001A2A9A
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABC08411_2_00ABC084
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABE38811_2_00ABE388
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeCode function: 11_2_00ABE39811_2_00ABE398
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00DA2A9A14_2_00DA2A9A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7E39814_2_02F7E398
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7E38814_2_02F7E388
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F7C08414_2_02F7C084
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80BB014_2_07E80BB0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88B6814_2_07E88B68
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E89F7014_2_07E89F70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8135014_2_07E81350
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A5F814_2_07E8A5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8214814_2_07E82148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8302814_2_07E83028
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8D43014_2_07E8D430
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E82FE614_2_07E82FE6
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A3D814_2_07E8A3D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8578014_2_07E85780
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8538014_2_07E85380
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8537014_2_07E85370
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8577014_2_07E85770
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8134014_2_07E81340
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88B5814_2_07E88B58
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E80B2114_2_07E80B21
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E862C814_2_07E862C8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E862C314_2_07E862C3
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84AA014_2_07E84AA0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8969814_2_07E89698
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84A9014_2_07E84A90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8969614_2_07E89696
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8DE4814_2_07E8DE48
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E855A014_2_07E855A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84DA014_2_07E84DA0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E84D9014_2_07E84D90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8559314_2_07E85593
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8CD7014_2_07E8CD70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8514814_2_07E85148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8214214_2_07E82142
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8513A14_2_07E8513A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8A8B014_2_07E8A8B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8906814_2_07E89068
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8004014_2_07E80040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8E43014_2_07E8E430
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8000614_2_07E80006
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E8300714_2_07E83007
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E88C1914_2_07E88C19
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491013592.0000000003290000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000000.435226561.0000000000828000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.494434677.0000000007CF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.485929234.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000000.00000002.492892204.00000000040CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000000.480282056.0000000000878000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.601550993.00000000071D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597247908.0000000002C40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.580726200.0000000000238000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeawGGIn.exe@ vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 5JbQqP8SDG.exe
      Source: 5JbQqP8SDG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: GryVAO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 5JbQqP8SDG.exeVirustotal: Detection: 57%
      Source: 5JbQqP8SDG.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Users\user\Desktop\5JbQqP8SDG.exeJump to behavior
      Source: 5JbQqP8SDG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe "C:\Users\user\Desktop\5JbQqP8SDG.exe"
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe C:\Users\user\Desktop\5JbQqP8SDG.exe 0
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp58BF.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Roaming\GryVAO.exeJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBE25.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/12@9/1
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3f629223-43f7-4f4e-b56f-3f91ee5e5e46}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 5JbQqP8SDG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 5JbQqP8SDG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07AF2224 push dword ptr [edx+ebp*2-75h]; iretd 14_2_07AF223F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07AF2142 push dword ptr [ebx+ebp-75h]; iretd 14_2_07AF214D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_07E86710 push 93FFFFFEh; iretd 14_2_07E86715
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: initial sampleStatic PE information: section name: .text entropy: 7.65135197379
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Users\user\AppData\Roaming\GryVAO.exeJump to dropped file
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeFile opened: C:\Users\user\Desktop\5JbQqP8SDG.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: 5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 6556Thread sleep time: -15679732462653109s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exe TID: 632Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5692Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: threadDelayed 6415Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: threadDelayed 2992Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeWindow / User API: foregroundWindowGot 705Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
      Source: dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeMemory written: C:\Users\user\Desktop\5JbQqP8SDG.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmpJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeProcess created: C:\Users\user\Desktop\5JbQqP8SDG.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmp5777.tmpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
      Source: 5JbQqP8SDG.exe, 00000006.00000002.721142281.00000000060DB000.00000004.00000010.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.722065655.0000000006EDE000.00000004.00000010.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.716969758.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719382712.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719096304.0000000002CED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719647422.0000000003012000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719382712.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000006.00000002.719493359.0000000002F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL@
      Source: 5JbQqP8SDG.exe, 00000006.00000002.716969758.0000000002CA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719647422.0000000003012000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager8%n2
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Users\user\Desktop\5JbQqP8SDG.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\5JbQqP8SDG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: 5JbQqP8SDG.exe, 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 5JbQqP8SDG.exe, 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: 5JbQqP8SDG.exe, 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: 5JbQqP8SDG.exe, 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.37c1488.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c755fb.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.53e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.0.5JbQqP8SDG.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3d89a68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c707be.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.5JbQqP8SDG.exe.3c7b031.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.41bc1d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.42e1488.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.5JbQqP8SDG.exe.3dbe288.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.5JbQqP8SDG.exe.369c1d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001D.00000002.617062843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.579285516.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.577242348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.580041619.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616000849.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.611605376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.580256144.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.578004077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.578446288.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619221810.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576978758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.578970542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.582121238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.616272773.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.584750033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.612651273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.619026955.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.605683107.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614606624.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.614187578.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.577728547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.576249632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 7036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 4676, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 5JbQqP8SDG.exe PID: 5976, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6388, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		112
      Process Injection      		2
      Masquerading      		21
      Input Capture      		21
      Security Software Discovery      		Remote Services21
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Scheduled Task/Job      		1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Remote Access Software      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size Limits11
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Hidden Files and Directories      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items2
      Obfuscated Files or Information      		DCSync12
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
      Software Packing      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 623788 Sample: 5JbQqP8SDG.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 10 other signatures 2->53 8 5JbQqP8SDG.exe 6 2->8         started        12 5JbQqP8SDG.exe 4 2->12         started        14 dhcpmon.exe 5 2->14         started        process3 file4 39 C:\Users\user\AppData\RoamingbehaviorgraphryVAO.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpBE25.tmp, XML 8->41 dropped 43 C:\Users\user\AppData\...\5JbQqP8SDG.exe.log, ASCII 8->43 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 16 5JbQqP8SDG.exe 1 12 8->16         started        21 schtasks.exe 1 8->21         started        61 Injects a PE file into a foreign processes 12->61 signatures5 process6 dnsIp7 45 lowspeed121.ddns.net 185.19.85.175, 49775, 49778, 49781 DATAWIRE-ASCH Switzerland 16->45 33 C:\Program Files (x86)\...\dhcpmon.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Roaming\...\run.dat, data 16->35 dropped 37 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 16->37 dropped 55 Protects its processes via BreakOnTermination flag 16->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->57 23 schtasks.exe 1 16->23         started        25 schtasks.exe 1 16->25         started        27 conhost.exe 21->27         started        file8 signatures9 process10 process11 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      5JbQqP8SDG.exe58%VirustotalBrowse
      5JbQqP8SDG.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT
      5JbQqP8SDG.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\GryVAO.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT
      C:\Users\user\AppData\Roaming\GryVAO.exe63%ReversingLabsByteCode-MSIL.Trojan.AveMariaRAT

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.0.5JbQqP8SDG.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.0.5JbQqP8SDG.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.5JbQqP8SDG.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.5JbQqP8SDG.exe.53e0000.9.unpack100%AviraTR/NanoCore.fadteDownload File
      6.0.5JbQqP8SDG.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.fontbureau.comepko80%Avira URL Cloudsafe
      http://www.founder.com.cn/cnU0%URL Reputationsafe
      http://www.sajatypeworks.com=0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.founder.com.cn/cn=0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr%0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnH0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.comK0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htmc0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.agfamonotype.p0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.fonts.comu0%Avira URL Cloudsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.urwpp.deX0%Avira URL Cloudsafe
      http://www.carterandcone.comexc0%URL Reputationsafe
      http://www.fonts.comc0%URL Reputationsafe
      http://www.founder.com.c0%URL Reputationsafe
      http://www.fontbureau.co0%URL Reputationsafe
      http://www.fontbureau.comaU0%Avira URL Cloudsafe
      http://www.fontbureau.comicTF0%Avira URL Cloudsafe
      http://www.fontbureau.comaK0%Avira URL Cloudsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://en.w0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.comf0%URL Reputationsafe
      http://fontfabrik.com=0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.comals0%URL Reputationsafe
      http://www.fontbureau.comalic0%URL Reputationsafe
      http://www.founder.com.cn/cnl-nFp00%Avira URL Cloudsafe
      http://www.fonts.comce0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnsof0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lowspeed121.ddns.net
      		185.19.85.175
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersG5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThe5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comepko85JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cnU5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.com=5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.tiro.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440416859.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440348993.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn=5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.kr5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.kr%5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.founder.com.cn/cnH5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442824583.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.com5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comK5JbQqP8SDG.exe, 00000000.00000003.439756929.0000000005AF4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439331188.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439537582.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439370513.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439404974.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439577851.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439246890.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netD5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThe5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htm5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmc5JbQqP8SDG.exe, 00000000.00000003.454422256.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com.5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.galapagosdesign.com/DPlease5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.agfamonotype.p5JbQqP8SDG.exe, 00000000.00000003.455928032.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.sandoll.co.kr5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.441648603.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPlease5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comu5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.de5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cn5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5JbQqP8SDG.exe, 00000000.00000002.487043671.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 0000000B.00000002.585122976.0000000002631000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.594285014.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sakkal.com5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deX5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.05JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.carterandcone.comexc5JbQqP8SDG.exe, 00000000.00000003.444977276.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445248230.0000000005ADD000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.445508362.0000000005ADD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fonts.comc5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.c5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.co5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comaU5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comicTF5JbQqP8SDG.exe, 00000000.00000003.448954375.0000000005AD8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comaK5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comd5JbQqP8SDG.exe, 00000000.00000003.450011274.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450417445.0000000005ADA000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://en.w5JbQqP8SDG.exe, 00000000.00000003.438967518.00000000013DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.coml5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlN5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn5JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.442475364.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.html5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comf5JbQqP8SDG.exe, 00000000.00000002.493627346.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.485024316.0000000005AD0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.html5JbQqP8SDG.exe, 00000000.00000003.450491433.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450590496.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.450679414.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://fontfabrik.com=5JbQqP8SDG.exe, 00000000.00000003.440205423.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/5JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers85JbQqP8SDG.exe, 00000000.00000002.494046111.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comals5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comalic5JbQqP8SDG.exe, 00000000.00000003.451055165.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnl-nFp05JbQqP8SDG.exe, 00000000.00000003.442457599.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comce5JbQqP8SDG.exe, 00000000.00000003.439615586.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 5JbQqP8SDG.exe, 00000000.00000003.439692572.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnsof5JbQqP8SDG.exe, 00000000.00000003.442704852.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.19.85.175
                                  		lowspeed121.ddns.netSwitzerland
                                  		48971DATAWIRE-ASCHfalse

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:623788
                                  Start date and time: 10/05/202220:23:392022-05-10 20:23:39 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 14m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:5JbQqP8SDG.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:36
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@28/12@9/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 4.3% (good quality ratio 2.1%)
                                  • Quality average: 31.5%
                                  • Quality standard deviation: 39.4%
                                  HCA Information:
                                  • Successful, ratio: 95%
                                  • Number of executed functions: 73
                                  • Number of non-executed functions: 4
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  20:25:06API Interceptor711x Sleep call for process: 5JbQqP8SDG.exe modified
                                  20:25:20AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  20:25:23Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\5JbQqP8SDG.exe" s>$(Arg0)
                                  20:25:25Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                  20:25:41API Interceptor4x Sleep call for process: dhcpmon.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):611328
                                  Entropy (8bit):7.644650096826273
                                  Encrypted:false
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  MD5:250D122F4AF32B52435A02787689EBBD
                                  SHA1:39346C41BCB75109DAC251320D4AFEA649538F85
                                  SHA-256:14F5C3AB5CBAD5D2F6E751E8B3D42204460B8B10A38285623734D631A2CEDA09
                                  SHA-512:36D7E91588D98689C76646AE237C84E1797D3371BB54640793E09C23E545CF5BC454779051853C196F7CA6F58FDA3DC080591BA1F86FF81B61928067C84E5488
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 63%
                                  Reputation:unknown
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@..................................j..W.................................................................................... ............... ..H............text...DK... ...L.................. ..`.rsrc................N..............@..@.reloc...............R..............@..B................ k......H.......`................Q...1...........................................*..(#...*..($...*.s%........s&........s'........s(........s)........*.~....o*...*.~....o+...*.~....o,...*.~....o-...*.~....o....*R.......o1..........*..(2...*6..($...(%...*..(&...*......(....*..('...*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(.

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5JbQqP8SDG.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                  Download File
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                  C:\Users\user\AppData\Local\Temp\tmp3E23.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmp5777.tmp

                                  Download File
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmpBD8.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                  C:\Users\user\AppData\Local\Temp\tmpBE25.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1643
                                  Entropy (8bit):5.168687909215862
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3X
                                  MD5:C6382A296ACE45E0D6C9A4A14FF67E89
                                  SHA1:319FCC78DEC52BCB03209FC3A9FFB4007602874D
                                  SHA-256:13F650B6E05BB9EBA9D6AFAE4E792DF61FDF029DFBF87ABD0B9EE983FDB91286
                                  SHA-512:C500C66CBCDC85C485427DA11D54066BD092EE556A78075CA0F575EDAF1B5B98F6B75532252901766B46126D38D147B6742A80B640434F4DA140C20BC6849FC8
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                  C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1301
                                  Entropy (8bit):5.121610238297834
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PdxXxtn:cbk4oL600QydbQxIYODOLedq3SXj
                                  MD5:397A97E4D9348E8C5A0A1AABCE2A141A
                                  SHA1:4165A2A21BB901CB63655774AD8E3B6F6B894FFF
                                  SHA-256:FC8358E632BD6B1AD28318263F46F30F57022D6692F503212DA2123ED60294DA
                                  SHA-512:BD41A5CC77A6ABB91838FE1DABB979B8790E5357ED9444877A047B9FAD06B0282FF646B4BCC2882DD8D2ACAA1FCA89313DD2DB54FC8829DD6E701D65C6594F0D
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:y6ln:y6ln
                                  MD5:ED8BF78CAA6512D8C4DE221FC892B8E7
                                  SHA1:0C2CFB8F84BA2873E0195BE895E3BFFD9DAA5A5D
                                  SHA-256:D12CB0817649797E02AEBAC918FD4C3FDA757086CE726BBA9781FAF6D165AF0B
                                  SHA-512:6613AA1FE39368D7188788359E1D2C33862ACAFB19DB9E9ACA2AA902DC9A1D6BF91E8C5B3348AAF457128B96C48D0F5976E1F67A250659219641E5612C3F23C7
                                  Malicious:true
                                  Reputation:unknown
                                  Preview:.....2.H

                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):38
                                  Entropy (8bit):4.511085408180429
                                  Encrypted:false
                                  SSDEEP:3:oNUWJRWQvH9BACn:oNNJAQvH92Cn
                                  MD5:E123BF011BFA42FE28C547BEB8B24E19
                                  SHA1:C481D8D3A7E0AFA805432B15C37545B946149727
                                  SHA-256:036BB6A73DF879739586F448D30FDC203B230C314FA7CFE57D9427B677CD19FA
                                  SHA-512:FFB39A79260DC8F91EF5EE98C145D888DA3EC5187014C9E28F60C1419FFBEED4F8F46F8C19DC283EB2ED810D7CA9F74E0F3E4B8FA4FB67EDFDD25A0DB111B3B2
                                  Malicious:false
                                  Reputation:unknown
                                  Preview:C:\Users\user\Desktop\5JbQqP8SDG.exe

                                  C:\Users\user\AppData\Roaming\GryVAO.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):611328
                                  Entropy (8bit):7.644650096826273
                                  Encrypted:false
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  MD5:250D122F4AF32B52435A02787689EBBD
                                  SHA1:39346C41BCB75109DAC251320D4AFEA649538F85
                                  SHA-256:14F5C3AB5CBAD5D2F6E751E8B3D42204460B8B10A38285623734D631A2CEDA09
                                  SHA-512:36D7E91588D98689C76646AE237C84E1797D3371BB54640793E09C23E545CF5BC454779051853C196F7CA6F58FDA3DC080591BA1F86FF81B61928067C84E5488
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 63%
                                  Reputation:unknown
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@..................................j..W.................................................................................... ............... ..H............text...DK... ...L.................. ..`.rsrc................N..............@..@.reloc...............R..............@..B................ k......H.......`................Q...1...........................................*..(#...*..($...*.s%........s&........s'........s(........s)........*.~....o*...*.~....o+...*.~....o,...*.~....o-...*.~....o....*R.......o1..........*..(2...*6..($...(%...*..(&...*......(....*..('...*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*b..{....(...+}.....{....*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(...+*...{.......,.rq..p((...z..|....(.

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.644650096826273
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:5JbQqP8SDG.exe
                                  File size:611328
                                  MD5:250d122f4af32b52435a02787689ebbd
                                  SHA1:39346c41bcb75109dac251320d4afea649538f85
                                  SHA256:14f5c3ab5cbad5d2f6e751e8b3d42204460b8b10a38285623734d631a2ceda09
                                  SHA512:36d7e91588d98689c76646ae237c84e1797d3371bb54640793e09c23e545cf5bc454779051853c196f7ca6f58fda3dc080591ba1f86ff81b61928067c84e5488
                                  SSDEEP:12288:LgjjSrFL2yMrcIqrxggKI3Ab2zBFW1iR011EaSvq/gK0ncptnxwTFMtRXZk6m:LgjjgAcIqrcIwb2zTb01m
                                  TLSH:D5D47B9CB110759EF45BD4B2CA686C64A691776B431F42039433E7AE9E2E5F3CE40CA3
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Umxb..............P..L..........>k... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x496b3e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x62786D55 [Mon May 9 01:24:37 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x96ae40x57.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x398.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x94b440x94c00False0.799832589286data7.65135197379IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x980000x3980x400False0.376953125data2.97811845606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x980580x33cdata

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright CPT185
                                  Assembly Version1.2.0.0
                                  InternalNameeawGGIn.exe
                                  FileVersion1.2.0.0
                                  CompanyNameCPT185
                                  LegalTrademarks
                                  Comments
                                  ProductNameCPT185_Homework
                                  ProductVersion1.2.0.0
                                  FileDescriptionCPT185_Homework
                                  OriginalFilenameeawGGIn.exe

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 10, 2022 20:25:32.728507042 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:32.746197939 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:33.344623089 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:33.403633118 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:34.032136917 CEST4977550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:34.062242985 CEST5042149775185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:38.412297964 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:38.474441051 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:39.032617092 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:39.072555065 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:39.641993046 CEST4977850421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:39.672367096 CEST5042149778185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:44.898557901 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:44.916450024 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:45.533144951 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:45.552731991 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:46.110516071 CEST4978150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:46.154194117 CEST5042149781185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:51.772958040 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:51.814470053 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:52.346168041 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:52.372033119 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:52.951143980 CEST4978450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:52.990546942 CEST5042149784185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:57.005374908 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:57.063580990 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:57.637762070 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:57.657197952 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:25:58.239928007 CEST4978750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:25:58.265409946 CEST5042149787185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:02.305550098 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:02.337171078 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:03.002831936 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:03.029366970 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:03.691318035 CEST4978950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:03.709923983 CEST5042149789185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:10.671817064 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:10.701931953 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:11.323120117 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:11.343614101 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:12.019603968 CEST4979150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:12.039122105 CEST5042149791185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:16.140109062 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:16.159164906 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:16.738403082 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:16.756925106 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:17.288614988 CEST4979750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:17.306202888 CEST5042149797185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:21.410116911 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:21.428174019 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:22.004448891 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:22.033843994 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:22.694041014 CEST4980150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:22.711700916 CEST5042149801185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:26.726931095 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:26.754028082 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:27.348707914 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:27.366638899 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:28.036252022 CEST4980350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:28.063142061 CEST5042149803185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:32.088620901 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:32.106316090 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:32.645987988 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:32.663572073 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:33.349282980 CEST4980450421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:33.368165970 CEST5042149804185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:37.387248993 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:37.404926062 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:38.005887032 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:38.023646116 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:38.693451881 CEST4980550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:38.711137056 CEST5042149805185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:42.812170029 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:42.844466925 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:43.350069046 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:43.368793964 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:44.026642084 CEST4980750421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:44.061487913 CEST5042149807185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:49.824131966 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:49.848602057 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:50.350656986 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:50.368242025 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:51.038208961 CEST4980950421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:51.055838108 CEST5042149809185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:55.132627964 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:55.150667906 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:55.741739988 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:55.759327888 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:26:56.351227999 CEST4981550421192.168.2.5185.19.85.175
                                  May 10, 2022 20:26:56.381736994 CEST5042149815185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:00.384252071 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:00.401876926 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:00.945350885 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:00.970081091 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:01.476583004 CEST4984150421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:01.496156931 CEST5042149841185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:05.512118101 CEST4985050421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:05.541635036 CEST5042149850185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:06.133254051 CEST4985050421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:06.173866034 CEST5042149850185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:06.742738008 CEST4985050421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:06.760603905 CEST5042149850185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:10.790426016 CEST4985350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:10.808140039 CEST5042149853185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:11.358550072 CEST4985350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:11.377403021 CEST5042149853185.19.85.175192.168.2.5
                                  May 10, 2022 20:27:11.946223974 CEST4985350421192.168.2.5185.19.85.175
                                  May 10, 2022 20:27:11.963841915 CEST5042149853185.19.85.175192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 10, 2022 20:25:32.594398022 CEST5432253192.168.2.58.8.8.8
                                  May 10, 2022 20:25:32.613013983 CEST53543228.8.8.8192.168.2.5
                                  May 10, 2022 20:25:38.359194040 CEST6371253192.168.2.58.8.8.8
                                  May 10, 2022 20:25:38.380553007 CEST53637128.8.8.8192.168.2.5
                                  May 10, 2022 20:25:44.221904993 CEST6246653192.168.2.58.8.8.8
                                  May 10, 2022 20:25:44.240909100 CEST53624668.8.8.8192.168.2.5
                                  May 10, 2022 20:26:08.134268999 CEST5735253192.168.2.58.8.8.8
                                  May 10, 2022 20:26:08.155194998 CEST53573528.8.8.8192.168.2.5
                                  May 10, 2022 20:26:16.115792990 CEST6324153192.168.2.58.8.8.8
                                  May 10, 2022 20:26:16.137823105 CEST53632418.8.8.8192.168.2.5
                                  May 10, 2022 20:26:21.373483896 CEST5780953192.168.2.58.8.8.8
                                  May 10, 2022 20:26:21.391987085 CEST53578098.8.8.8192.168.2.5
                                  May 10, 2022 20:26:42.791327953 CEST6268053192.168.2.58.8.8.8
                                  May 10, 2022 20:26:42.808203936 CEST53626808.8.8.8192.168.2.5
                                  May 10, 2022 20:26:49.778464079 CEST4940753192.168.2.58.8.8.8
                                  May 10, 2022 20:26:49.799529076 CEST53494078.8.8.8192.168.2.5
                                  May 10, 2022 20:26:55.111569881 CEST5446353192.168.2.58.8.8.8
                                  May 10, 2022 20:26:55.130059958 CEST53544638.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 10, 2022 20:25:32.594398022 CEST192.168.2.58.8.8.80x70e8Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:25:38.359194040 CEST192.168.2.58.8.8.80x9d84Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:25:44.221904993 CEST192.168.2.58.8.8.80xae7Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:08.134268999 CEST192.168.2.58.8.8.80xb5dfStandard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:16.115792990 CEST192.168.2.58.8.8.80x41e3Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:21.373483896 CEST192.168.2.58.8.8.80x946Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:42.791327953 CEST192.168.2.58.8.8.80xb453Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:49.778464079 CEST192.168.2.58.8.8.80xa12Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)
                                  May 10, 2022 20:26:55.111569881 CEST192.168.2.58.8.8.80x20a2Standard query (0)lowspeed121.ddns.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 10, 2022 20:25:32.613013983 CEST8.8.8.8192.168.2.50x70e8No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:25:38.380553007 CEST8.8.8.8192.168.2.50x9d84No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:25:44.240909100 CEST8.8.8.8192.168.2.50xae7No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:08.155194998 CEST8.8.8.8192.168.2.50xb5dfNo error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:16.137823105 CEST8.8.8.8192.168.2.50x41e3No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:21.391987085 CEST8.8.8.8192.168.2.50x946No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:42.808203936 CEST8.8.8.8192.168.2.50xb453No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:49.799529076 CEST8.8.8.8192.168.2.50xa12No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                  May 10, 2022 20:26:55.130059958 CEST8.8.8.8192.168.2.50x20a2No error (0)lowspeed121.ddns.net185.19.85.175A (IP address)IN (0x0001)

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:20:24:53
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\5JbQqP8SDG.exe"
                                  Imagebase:0x790000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.491093919.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:4
                                  Start time:20:25:13
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GryVAO" /XML "C:\Users\user\AppData\Local\Temp\tmpBE25.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:5
                                  Start time:20:25:13
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:20:25:14
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x7e0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.483728850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720577614.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.482077079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720534425.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.482642247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.706388161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.720461431.0000000005230000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.712205262.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.719803754.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.483222299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:9
                                  Start time:20:25:20
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpFEC7.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:10
                                  Start time:20:25:21
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:11
                                  Start time:20:25:23
                                  Start date:10/05/2022
                                  Path:C:\Users\user\Desktop\5JbQqP8SDG.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\5JbQqP8SDG.exe 0
                                  Imagebase:0x1a0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.597428271.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Target ID:12
                                  Start time:20:25:23
                                  Start date:10/05/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBD8.tmp
                                  Imagebase:0xd30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:13
                                  Start time:20:25:24
                                  Start date:10/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff77f440000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:14
                                  Start time:20:25:26
                                  Start date:10/05/2022
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                  Imagebase:0xda0000
                                  File size:611328 bytes
                                  MD5 hash:250D122F4AF32B52435A02787689EBBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.604549457.0000000004159000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 63%, ReversingLabs
                                  Reputation:low

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:67
                                    Total number of Limit Nodes:7
                                    execution_graph 8828 f2b5f0 GetCurrentProcess 8829 f2b663 8828->8829 8830 f2b66a GetCurrentThread 8828->8830 8829->8830 8831 f2b6a0 8830->8831 8832 f2b6a7 GetCurrentProcess 8830->8832 8831->8832 8833 f2b6dd 8832->8833 8834 f2b705 GetCurrentThreadId 8833->8834 8835 f2b736 8834->8835 8909 f2fd60 SetWindowLongW 8910 f2fdcc 8909->8910 8836 f291f8 8839 f292f0 8836->8839 8837 f29207 8840 f29303 8839->8840 8841 f2931b 8840->8841 8846 f29578 8840->8846 8841->8837 8842 f29313 8842->8841 8843 f29518 GetModuleHandleW 8842->8843 8844 f29545 8843->8844 8844->8837 8847 f2958c 8846->8847 8848 f295b1 8847->8848 8850 f28dc0 8847->8850 8848->8842 8851 f29758 LoadLibraryExW 8850->8851 8853 f297d1 8851->8853 8853->8848 8854 f26458 8857 f251ac 8854->8857 8856 f26465 8858 f251b7 8857->8858 8861 f2542c 8858->8861 8860 f26505 8860->8856 8862 f25437 8861->8862 8865 f2545c 8862->8865 8864 f265e2 8864->8860 8866 f25467 8865->8866 8869 f2548c 8866->8869 8868 f266e2 8868->8864 8871 f25497 8869->8871 8870 f26e3c 8870->8868 8871->8870 8873 f2b318 8871->8873 8874 f2b349 8873->8874 8875 f2b36d 8874->8875 8877 f2b4d8 8874->8877 8875->8870 8878 f2b4e5 8877->8878 8880 f2b51f 8878->8880 8881 f29f94 8878->8881 8880->8875 8882 f29f9f 8881->8882 8884 f2c218 8882->8884 8885 f2bdb4 8882->8885 8884->8884 8886 f2bdbf 8885->8886 8887 f2548c 2 API calls 8886->8887 8888 f2c287 8886->8888 8887->8888 8891 f2e008 8888->8891 8889 f2c2c0 8889->8884 8893 f2e039 8891->8893 8894 f2e086 8891->8894 8892 f2e045 8892->8889 8893->8892 8897 f2e341 8893->8897 8900 f2e350 8893->8900 8894->8889 8898 f2e359 8897->8898 8899 f292f0 LoadLibraryExW GetModuleHandleW 8897->8899 8898->8894 8899->8898 8901 f292f0 LoadLibraryExW GetModuleHandleW 8900->8901 8902 f2e359 8901->8902 8902->8894 8903 f2b818 DuplicateHandle 8904 f2b8ae 8903->8904 8905 f2fb18 8906 f2fb80 CreateWindowExW 8905->8906 8908 f2fc3c 8906->8908

                                    Executed Functions

                                    Function 00F2B5F0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00F2B650
                                    • GetCurrentThread.KERNEL32 ref: 00F2B68D
                                    • GetCurrentProcess.KERNEL32 ref: 00F2B6CA
                                    • GetCurrentThreadId.KERNEL32 ref: 00F2B723
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: b5c39be1af28e425dc00fe74da60be7a1737b30602c5f6644c6cd40f218c903a
                                    • Instruction ID: 26cc23af25f6b71e022942c6352a08afdb554d22d84a4a7b570686d872faa2a5
                                    • Opcode Fuzzy Hash: b5c39be1af28e425dc00fe74da60be7a1737b30602c5f6644c6cd40f218c903a
                                    • Instruction Fuzzy Hash: 185143B09002098FDB14CFAAE548BEEBBF5FF48314F248869E459A7250DB75A844CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F292F0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 19 f292f0-f29305 call f28d5c 22 f29307-f29315 call f29578 19->22 23 f2931b-f2931f 19->23 22->23 29 f29450-f29510 22->29 24 f29333-f29374 23->24 25 f29321-f2932b 23->25 30 f29381-f2938f 24->30 31 f29376-f2937e 24->31 25->24 67 f29512-f29515 29->67 68 f29518-f29543 GetModuleHandleW 29->68 33 f293b3-f293b5 30->33 34 f29391-f29396 30->34 31->30 35 f293b8-f293bf 33->35 36 f293a1 34->36 37 f29398-f2939f call f28d68 34->37 38 f293c1-f293c9 35->38 39 f293cc-f293d3 35->39 42 f293a3-f293b1 36->42 37->42 38->39 43 f293e0-f293e9 call f28d78 39->43 44 f293d5-f293dd 39->44 42->35 49 f293f6-f293fb 43->49 50 f293eb-f293f3 43->50 44->43 52 f29419-f29426 49->52 53 f293fd-f29404 49->53 50->49 59 f29428-f29446 52->59 60 f29449-f2944f 52->60 53->52 54 f29406-f29416 call f28d88 call f28d98 53->54 54->52 59->60 67->68 69 f29545-f2954b 68->69 70 f2954c-f29560 68->70 69->70
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00F29536
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: e4991ffaadd807f105ac54c4fadbd5f88525acdb9015bfdb10e87e1a1568e583
                                    • Instruction ID: b0156e227910c1f83144f75d40b1ef3c19bfd6a48cc04d5009b899df221650e7
                                    • Opcode Fuzzy Hash: e4991ffaadd807f105ac54c4fadbd5f88525acdb9015bfdb10e87e1a1568e583
                                    • Instruction Fuzzy Hash: B0712470A04B158FDB24DF6AE4517AAB7F5BF88314F00892DD48AD7A40DB75E80ACF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2FB18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 73 f2fb18-f2fb7e 74 f2fb80-f2fb86 73->74 75 f2fb89-f2fb90 73->75 74->75 76 f2fb92-f2fb98 75->76 77 f2fb9b-f2fc3a CreateWindowExW 75->77 76->77 79 f2fc43-f2fc7b 77->79 80 f2fc3c-f2fc42 77->80 84 f2fc88 79->84 85 f2fc7d-f2fc80 79->85 80->79 85->84
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F2FC2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 479fab018da14fe5b3e8fd618688455e22e90fd7aa491c4dd8f3285e61c5c52b
                                    • Instruction ID: 13b277fd233c7367d0623a3f422f13a3064fb04f5b821d87b724874522370505
                                    • Opcode Fuzzy Hash: 479fab018da14fe5b3e8fd618688455e22e90fd7aa491c4dd8f3285e61c5c52b
                                    • Instruction Fuzzy Hash: A341E0B1D10319DFDB14CF99D884ADEBBB5BF88314F24812AE818AB210D7749985CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2B818 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 86 f2b818-f2b8ac DuplicateHandle 87 f2b8b5-f2b8d2 86->87 88 f2b8ae-f2b8b4 86->88 88->87
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F2B89F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 39c749f4746739b566ea6e0120c3fed4c299fec9c6a63aa85a8ecbef5fe378f1
                                    • Instruction ID: 7c97dbb171ce0b197d1f8ddab25951ab10be02ba5ccd2e7bbc658d52de1ccadb
                                    • Opcode Fuzzy Hash: 39c749f4746739b566ea6e0120c3fed4c299fec9c6a63aa85a8ecbef5fe378f1
                                    • Instruction Fuzzy Hash: 9821C6B5D012189FDB10CFA9D484AEEBBF8FF48324F14841AE954A7350D378A955CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F28DC0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 91 f28dc0-f29798 93 f297a0-f297cf LoadLibraryExW 91->93 94 f2979a-f2979d 91->94 95 f297d1-f297d7 93->95 96 f297d8-f297f5 93->96 94->93 95->96
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F295B1,00000800,00000000,00000000), ref: 00F297C2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 64ed7ba055595da09121a3dfe25f905ed379d19f4b416a99bfbcf0db4c0f1703
                                    • Instruction ID: 268b54cc6b13f563a5047b70455e9b6f9ba73abb867c35e62a829fc0214d2f99
                                    • Opcode Fuzzy Hash: 64ed7ba055595da09121a3dfe25f905ed379d19f4b416a99bfbcf0db4c0f1703
                                    • Instruction Fuzzy Hash: 0D1117B6D042188FCB10CF9AD444ADEFBF4FF48320F14842AD455A7600C7B5A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F294D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 99 f294d0-f29510 100 f29512-f29515 99->100 101 f29518-f29543 GetModuleHandleW 99->101 100->101 102 f29545-f2954b 101->102 103 f2954c-f29560 101->103 102->103
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00F29536
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 900cab0bf229ab807a4804f723f5eaae54ec8583eb0478f936c258d78da9de5c
                                    • Instruction ID: 9cd684705e404ae91cb1932b79280802ba8095c8978918c0a2a9c08505316ff4
                                    • Opcode Fuzzy Hash: 900cab0bf229ab807a4804f723f5eaae54ec8583eb0478f936c258d78da9de5c
                                    • Instruction Fuzzy Hash: A81102B5D002198FCB10CF9AD444ADEFBF4AF88324F14841AD419A7200D378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2FD60 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 105 f2fd60-f2fdca SetWindowLongW 106 f2fdd3-f2fde7 105->106 107 f2fdcc-f2fdd2 105->107 107->106
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 00F2FDBD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: f10bf803b26315e5912a4b1d25277e88fad92cc4c8b6f827e4a74d09c68e6859
                                    • Instruction ID: 30ff89b789ac0bf20004bc802117265b28fc329062445db12a96a74595515635
                                    • Opcode Fuzzy Hash: f10bf803b26315e5912a4b1d25277e88fad92cc4c8b6f827e4a74d09c68e6859
                                    • Instruction Fuzzy Hash: C311E5B58002199FDB10DF99D484BDFBBF8FB48324F54841AD955A7740D378A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d58fed137343121db3f99a4a12776eabd8bf3fbcf67cb7083cb45b4c4d03c0e9
                                    • Instruction ID: 8b3f338ccf3bf0b1affd5a7040ab254503a1cc7f24095d2378c35565d281e2e1
                                    • Opcode Fuzzy Hash: d58fed137343121db3f99a4a12776eabd8bf3fbcf67cb7083cb45b4c4d03c0e9
                                    • Instruction Fuzzy Hash: 09212871504244DFDB04CF50D8C0FA6BBA6FB88324F28C569E8460B246D336E856C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD4A0 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0726b9705d81396a3caf246c06661114b62413764f7668eb83eb20b678bd4112
                                    • Instruction ID: 718e7211c414c5edd42651c220fe7636a79b10aa1f41b58469c1fe319c4e7149
                                    • Opcode Fuzzy Hash: 0726b9705d81396a3caf246c06661114b62413764f7668eb83eb20b678bd4112
                                    • Instruction Fuzzy Hash: 9B212871504244DFDB15CF54D8C0FA6BFA6FB88328F288569E9060B246D336D855CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DCD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485783188.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dcd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 644da72b07a81f28dd16b59415afa805d61d5a3fb9a02003ba7ac38b03a09eec
                                    • Instruction ID: 320684a4733f219a1cf6af5c6d64ea8a6258ae996dac8593a073269bf64ab151
                                    • Opcode Fuzzy Hash: 644da72b07a81f28dd16b59415afa805d61d5a3fb9a02003ba7ac38b03a09eec
                                    • Instruction Fuzzy Hash: 1921C175504245DFDB14CF68D8C4F26BBA6FB88314F24C97DE84A4B246C336D846DA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DCD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485783188.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dcd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e77ec8a55c324d4e55fa36452f076048ed9d2e63486281c6ed1dd8f14d25171
                                    • Instruction ID: 584c82f7fe7048ad694491e4168da929de8c193d335e00d7a2671b5eec615712
                                    • Opcode Fuzzy Hash: 7e77ec8a55c324d4e55fa36452f076048ed9d2e63486281c6ed1dd8f14d25171
                                    • Instruction Fuzzy Hash: 5C21C171504245AFDB05DF60D9C4F26FBA6FB88318F28CA7DE8494B245C336D846CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DCD005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485783188.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dcd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ffa6940868cd707a4296afe863c998faeaddd9bba80a2deb0d1aca15c12c74f
                                    • Instruction ID: 4e1154c32bcf3b0367557c0e07786aea856e5eea3fca398f346d414717baef81
                                    • Opcode Fuzzy Hash: 6ffa6940868cd707a4296afe863c998faeaddd9bba80a2deb0d1aca15c12c74f
                                    • Instruction Fuzzy Hash: D82180755093C08FCB02CF24D994B15BF71EB46314F28C5EED8498B697C33A984ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD49B Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction ID: e4c0389afe00be2551171b3120cf51fb0601ed0498af378391faac31f81d50ae
                                    • Opcode Fuzzy Hash: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction Fuzzy Hash: 2711E676504280CFCF12CF14D5C4B56BFB2FB85328F28C6A9D9050B656D33AD85ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction ID: b19bd4e34e21711a9c92ab716c63273e05881f05cd411d67af9a9b283c1be9b9
                                    • Opcode Fuzzy Hash: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction Fuzzy Hash: D4110876404280CFCF11CF10D5C4B56BF72FB94324F28C6A9D8450B656D33AE85ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DCD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485783188.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dcd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbc4167c3c97515e31d18ccee52d8336f50c7ccc6e38931adc408a7337d2e844
                                    • Instruction ID: 3c4619c3adb80cbb1ccdbc084a14284a9c1ce5e5cdb780a213481140a47bbad5
                                    • Opcode Fuzzy Hash: bbc4167c3c97515e31d18ccee52d8336f50c7ccc6e38931adc408a7337d2e844
                                    • Instruction Fuzzy Hash: 1F119075504280DFCB11CF10D9C4B15FB72FB84314F28C6AED8494B656C33AD85ACB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD745 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75cd503f57643ac4f68d76731bfea2b120f05d814e69470aa5831d05fc1faa87
                                    • Instruction ID: f2047205647181688f2f08ac9d9f99177a366753026a6a86047d3ce92503412c
                                    • Opcode Fuzzy Hash: 75cd503f57643ac4f68d76731bfea2b120f05d814e69470aa5831d05fc1faa87
                                    • Instruction Fuzzy Hash: 7D01F771008340DAE7104E62CC84BE7BB9CEF45364F18895AED471A246FB79D844CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DBD744 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485755896.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_dbd000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8c32604c7e11ca05021e50a0971a8f45522e79a6014790d134aa31fe56c1155
                                    • Instruction ID: ac86b0ca22fe99d6dd1bfdead445ea77c9e45f8be8d573e42d6549712e2ed3c0
                                    • Opcode Fuzzy Hash: b8c32604c7e11ca05021e50a0971a8f45522e79a6014790d134aa31fe56c1155
                                    • Instruction Fuzzy Hash: 67F062714052449EE7108E15CCC4BA3FF98EF45774F18C45AED095B286E779AC44CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00792A9A Relevance: 3.0, Instructions: 2972COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E00792A9A(signed int __eax, signed int __ecx, signed int __edx, void* __edi, signed int __esi, void* __fp0) {
				signed int _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int* _t1083;
				signed char _t1085;
				signed int _t1087;
				signed int _t1088;
				intOrPtr* _t1089;
				signed int* _t1090;
				signed int _t1091;
				signed char _t1092;
				signed int* _t1277;
				intOrPtr* _t1278;
				void* _t1279;
				intOrPtr* _t1280;
				signed int _t1282;
				signed char _t1283;
				signed int _t1284;
				signed int _t1286;
				signed int _t1287;
				signed char _t1288;
				signed int _t1289;
				intOrPtr* _t1291;
				signed int _t1293;
				signed char _t1295;
				intOrPtr* _t1314;
				signed char _t1315;
				signed int _t1316;
				void* _t1318;
				void* _t1319;
				void* _t1320;
				void* _t1321;
				void* _t1322;
				void* _t1323;
				void* _t1324;
				void* _t1325;
				void* _t1326;
				void* _t1327;
				void* _t1328;
				signed char _t1329;
				void* _t1330;
				signed char _t1332;
				signed char _t1333;
				signed char _t1334;
				void* _t1335;
				signed char _t1336;
				signed char _t1337;
				signed char _t1680;
				signed char _t1681;
				signed char _t1683;
				signed char _t1684;
				void* _t1688;
				signed int _t1691;
				void* _t1692;
				signed char _t1694;
				void* _t1696;
				signed char _t1697;
				void* _t1741;
				signed int* _t1744;
				intOrPtr* _t1745;
				signed int _t1749;
				intOrPtr* _t1750;
				signed int _t1757;
				intOrPtr* _t1758;
				signed int _t1770;
				signed int _t1815;
				intOrPtr _t1870;
				void* _t2017;

				_t2017 = __fp0;
				_t1749 = __esi;
				_t1691 = __edx;
				_t1314 = __ecx;
				_t1078 = __eax;
				_t1744 = __edi + __esi;
				asm("adc [esi], esp");
				if(_t1744 < 0) {
					L5:
					_t2017 = _t2017 +  *_t1691;
					_t1080 = (_t1078 |  *_t1749) -  *(_t1078 |  *_t1749);
					 *_t1080 =  *_t1080 + _t1080;
					 *((intOrPtr*)(_t1080 + _t1080)) =  *((intOrPtr*)(_t1080 + _t1080)) + _t1293;
					 *_t1314 =  *_t1314 + _t1080;
					 *((intOrPtr*)(_t1080 + _t1080 + 8)) =  *((intOrPtr*)(_t1080 + _t1080 + 8)) + _t1314;
					_t1081 = _t1757;
					_t1757 = _t1080;
					 *_t1293 =  *_t1293 + _t1314;
					if ( *_t1293 == 0) goto L6;
					 *_t1081 =  *_t1081 + _t1081;
					_t1082 = _t1081 +  *_t1081;
					asm("insb");
					 *((intOrPtr*)(_t1082 + _t1082 * 8)) =  *((intOrPtr*)(_t1082 + _t1082 * 8)) + _t1691;
					asm("adc eax, 0x0");
					asm("adc esi, [eax]");
					 *_t1082 =  *_t1082 + _t1082;
					asm("adc al, 0x0");
					 *_t1082 =  *_t1082 + _t1082;
					_t1083 = _t1082 +  *_t1082;
					 *_t1314 =  *_t1314 + _t1691;
					_t1315 = _t1314 +  *((intOrPtr*)( &(_t1083[0xb46c000]) + _t1749));
					 *_t1083 =  *_t1083 | _t1315;
					 *_t1083 = _t1083 +  *_t1083;
					 *_t1293 =  *_t1293 + _t1315;
					_t1316 = _t1315 |  *_t1293;
					_t1085 = _t1083 +  *_t1691 |  *_t1749;
					_t1692 = _t1691 -  *_t1293;
					 *_t1749 =  *_t1749 ^ _t1085;
					 *_t1085 =  *_t1085 + _t1293;
					 *_t1085 =  *_t1085 + _t1085;
					_t1078 = _t1085 +  *_t1085;
					 *_t1316 =  *_t1316 + _t1692;
					 *_t1078 =  *_t1078 - _t1316;
					 *_t1749 =  *_t1749 + _t1078;
					ss = es;
					asm("salc");
					_t1694 = _t1692 +  *_t1744 +  *_t1749;
					 *_t1078 =  *_t1078 - _t1316;
					 *_t1749 =  *_t1749 + _t1078;
					_pop(ss);
					asm("salc");
					if( *_t1749 < 0) {
						 *_t1078 =  *_t1078 + _t1078;
						_t1316 = _t1316 |  *_t1694;
						_t1691 = _t1694 +  *_t1749;
						 *_t1078 =  *_t1078 - _t1316;
						goto L8;
					}
				} else {
					 *__eax =  *__eax + __eax;
					if( *__eax >= 0) {
						_t1293 = __ecx;
						 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + __eax;
						_t1078 = __eax & 0x20280716;
						 *_t1078 =  *_t1078 + _t1078;
						_push(es);
						 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) - _t1078;
						 *_t1078 =  *_t1078 + _t1078;
						_push(es);
						 *0x1b28 = _t1078;
					}
					es = es;
					 *_t1078 =  *_t1078 - _t1078;
					 *_t1078 =  *_t1078 + _t1078;
					_push(es);
					 *_t1691 =  *_t1691 - _t1078;
					 *_t1078 =  *_t1078 + _t1078;
					_push(es);
					if( *_t1078 != 0) {
						L8:
						_t1288 = _t1078 - 1;
						 *_t1288 =  *_t1288 + _t1288;
						_push(es);
						_t1289 = _t1288 | 0x0000002b;
						_t1694 = (_t1691 |  *_t1749) +  *[cs:edi];
						 *_t1289 =  *_t1289 - _t1316;
						 *_t1749 =  *_t1749 + _t1289;
						asm("sbb [esi], al");
						 *_t1316 =  *_t1316 | _t1694;
						_t1291 = (_t1289 | 0x2b041316) + 3;
						asm("adc [eax+ecx], eax");
						 *_t1291 =  *_t1291 - _t1316;
						 *_t1694 =  *_t1694 + _t1316;
						 *_t1316 =  *_t1316 - _t1316;
						 *_t1694 =  *_t1694 + _t1316;
						asm("adc [edi+edx], eax");
						asm("salc");
						asm("adc eax, [ecx+edx]");
						_t1293 = _t1293 ^ _t1770;
						 *_t1744 =  *_t1744 | _t1694;
						asm("salc");
						_t1078 = _t1291 + 0x00000009 | 0x00000008;
						L9:
						 *_t1744 =  *_t1744 | _t1078;
						_t1749 = _t1749 ^ _t1316;
						_push(es);
						_t1694 = _t1694 -  *_t1293;
						 *_t1078 =  *_t1078 ^ _t1316;
					} else {
						_push(es);
						 *_t1078 =  *_t1078 + _t1078;
						_t1078 = _t1078 + 0xd0;
						_push(es);
						 *_t1078 =  *_t1078 + _t1078;
						asm("sbb ebp, [eax]");
						asm("sbb [eax], eax");
						 *_t1749 =  *_t1749 + _t1078;
						 *_t1293 =  *_t1293 - _t1078;
						 *_t1078 =  *_t1078 + _t1078;
						goto L5;
					}
				}
				 *((intOrPtr*)(_t1293 + 0x3000000)) =  *((intOrPtr*)(_t1293 + 0x3000000)) + _t1694;
				 *_t1078 =  *_t1078 + _t1078;
				asm("adc [ebx], eax");
				do {
					_t1694 = _t1694 +  *_t1744;
					asm("ficom dword [edi]");
					asm("salc");
					_t1078 = _t1078 + 0x17;
					asm("ficom dword [edi]");
					asm("salc");
					if(_t1078 < 0) {
						 *_t1078 =  *_t1078 + _t1078;
						_t1316 = _t1316 |  *_t1694;
						_push(es);
						_push(ss);
						 *_t1757 =  *_t1757 - _t1316;
						 *_t1749 =  *_t1749 + _t1078;
						_t1694 = _t1694 |  *_t1749;
						_t1284 = _t1078 | 0x0000002b;
						if(_t1284 < 0) {
							_pop(ss);
							 *_t1757 =  *_t1757 - _t1316;
							 *_t1749 =  *_t1749 + _t1284;
						}
						_push(es);
						 *_t1316 =  *_t1316 | _t1694;
						_t1286 = (_t1284 | 0x2b041316) + 0x1b;
						_t1293 = _t1316;
						 *_t1316 =  *_t1316 + _t1286;
						_t1287 = _t1286 & 0x01057216;
						 *((intOrPtr*)(_t1287 - 0x5e)) =  *((intOrPtr*)(_t1287 - 0x5e)) + _t1694;
						_t1078 = _t1287 & 0x4e280817;
						 *_t1078 =  *_t1078 + _t1078;
						_push(es);
						 *0x2b721825 = _t1078;
						 *_t1078 =  *_t1078 + _t1078;
						if( *_t1078 < 0) {
							goto L9;
						} else {
							_t1078 = _t1078 & 0x28041119;
							_t1749 = _t1749 - 1;
							 *_t1078 =  *_t1078 + _t1078;
						}
					}
					 *_t1749 =  *_t1749 + _t1078;
					 *0x33721a25 = _t1078;
					 *_t1078 =  *_t1078 + _t1078;
				} while ( *_t1078 < 0);
				 *_t1744 =  *_t1744 - _t1316;
				 *_t1749 =  *_t1749 + _t1078;
				if( *_t1749 < 0) {
					L20:
					 *_t1757 =  *_t1757 - _t1316;
					 *_t1749 =  *_t1749 + _t1078;
					_t1694 = _t1694 +  *_t1749 |  *_t1749;
					_t1757 = _t1757 |  *_t1293;
					_pop(ss);
					 *_t1757 =  *_t1757 - _t1316;
					 *_t1749 =  *_t1749 + _t1078;
					_t1087 = _t1078 | 0x703203f;
					 *_t1087 =  *_t1087 | _t1757;
					_t1088 = _t1087 - 1;
					 *_t1088 =  *_t1088 + _t1088;
					_t1316 = _t1316 |  *_t1088;
					_t1749 = _t1749 - 1;
					 *_t1088 =  *_t1088 + _t1088;
					_push(es);
					if( *_t1088 >= 0) {
						 *_t1088 =  *_t1088 + _t1088;
						if( *_t1088 >= 0) {
							_push(_t1694);
							 *_t1088 =  *_t1088 + _t1088;
							_push(es);
							 *_t1293 =  *_t1293 - _t1694;
							 *_t1749 =  *_t1749 + _t1088;
							 *_t1744 =  *_t1744 | _t1694;
							asm("salc");
							_t1078 = _t1088 | 0xdc310809;
							goto L23;
						}
						goto L24;
					}
				} else {
					 *_t1078 =  *_t1078 + _t1078;
					if( *_t1078 < 0) {
						L23:
						asm("fsubr qword [eax]");
						 *_t1078 =  *_t1078 + _t1078;
						es = es;
						ss = _t1770;
						asm("salc");
						_t1282 = _t1078 |  *_t1744;
						_push(es);
						_t1293 = _t1293 ^ _t1282;
						_t1088 = _t1282 -  *_t1282;
						 *_t1293 =  *_t1293 + _t1293;
						 *_t1694 =  *_t1694 ^ _t1088;
						 *_t1316 =  *_t1316 + _t1088;
						 *_t1088 =  *_t1088 + _t1088;
						L24:
						 *_t1088 =  *_t1088 + _t1088;
						 *_t1088 =  *_t1088 + _t1088;
						 *_t1293 =  *_t1293 + _t1088;
						_t1280 = _t1088 - 0x13;
						_t1293 = _t1293 +  *((intOrPtr*)(_t1293 + 0x12));
						 *_t1280 =  *_t1280 + _t1280;
						_t1088 = _t1280 + 0x0000002c |  *_t1694;
						_t1815 = _t1088;
					} else {
						 *((intOrPtr*)(_t1078 + 0x15)) =  *((intOrPtr*)(_t1078 + 0x15)) + _t1694;
						asm("adc eax, 0x5028");
						_push(es);
						 *_t1316 =  *_t1316 - _t1694;
						 *_t1749 =  *_t1749 + _t1078;
						 *_t1316 =  *_t1316 - _t1316;
						 *_t1694 =  *_t1694 + _t1316;
						asm("adc [edi+edx], eax");
						asm("salc");
						asm("adc eax, [ecx+edx]");
						_t1283 = _t1078 + 9;
						 *(_t1283 + 0xcd61708) =  *(_t1283 + 0xcd61708) ^ _t1770;
						 *_t1744 =  *_t1744 | _t1283;
						 *(_t1293 + 0x13002a06) =  *(_t1293 + 0x13002a06) ^ _t1316;
						 *_t1293 =  *_t1293 ^ _t1283;
						 *_t1694 =  *_t1694 + _t1316;
						 *_t1283 =  *_t1283 + _t1283;
						_t1078 = _t1283;
						 *_t1316 =  *_t1316 + _t1694;
						goto L20;
					}
				}
				if(_t1815 == 0) {
					 *_t1088 =  *_t1088 + _t1088;
					_t1279 = _t1088 + 0x28;
					if (_t1279 == 0) goto L27;
					 *_t1749 =  *_t1749 + _t1279;
					asm("fimul word [eax]");
					_t1088 = _t1279 +  *_t1293;
					 *((intOrPtr*)(_t1088 + _t1088)) =  *((intOrPtr*)(_t1088 + _t1088)) - _t1088;
					 *_t1694 =  *_t1694 + _t1316;
					asm("fsubr qword [edx]");
				}
				_t1089 = _t1088 -  *_t1088;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1694;
				 *_t1089 =  *_t1089 + _t1089;
				_t1090 = _t1089 +  *_t1089;
				 *_t1090 = _t1090 +  *_t1090;
				asm("sbb [eax], bl");
				 *_t1090 =  *_t1090 + _t1316;
				 *_t1090 = _t1090 +  *_t1090;
				 *_t1090 = _t1090 +  *_t1090;
				asm("adc esi, [eax]");
				 *((intOrPtr*)(_t1757 + 7)) =  *((intOrPtr*)(_t1757 + 7)) + _t1090;
				 *_t1090 = _t1090 +  *_t1090;
				 *_t1090 = _t1090 +  *_t1090;
				 *_t1090 = _t1090 +  *_t1090;
				if (_t1316 +  *_t1090 != 0) goto L29;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				_t1318 = es;
				 *_t1090 = _t1090 +  *_t1090;
				_t1319 = _t1318 +  *_t1090;
				if (_t1319 != 0) goto L30;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				_t1295 = es;
				 *_t1090 = _t1090 +  *_t1090;
				_t1320 = _t1319 +  *_t1090;
				if (_t1320 != 0) goto L31;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				_t1758 = es;
				 *_t1090 = _t1090 +  *_t1090;
				_t1321 = _t1320 +  *_t1090;
				if (_t1321 != 0) goto L32;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				_t1745 = es;
				 *_t1090 = _t1090 +  *_t1090;
				_push(es);
				_t1322 = _t1321 +  *_t1090;
				if (_t1322 <= 0) goto L33;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				asm("popad");
				 *_t1090 = _t1090 +  *_t1090;
				_push(es);
				_t1323 = _t1322 +  *_t1090;
				if (_t1323 > 0) goto L34;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				asm("arpl [eax], ax");
				 *_t1749 = _t1090 +  *_t1749;
				_t1324 = _t1323 +  *_t1090;
				if (_t1324 > 0) goto L35;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				 *[gs:eax] =  *[gs:eax] + _t1090;
				_push(es);
				_t1325 = _t1324 +  *_t1090;
				if (_t1325 < 0) goto L36;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				 *((intOrPtr*)(_t1295 + _t1749)) =  *((intOrPtr*)(_t1295 + _t1749)) + _t1090;
				_push(es);
				_t1326 = _t1325 +  *_t1090;
				if (_t1326 != 0) goto L37;
				 *_t1749 = _t1090 +  *_t1749;
				asm("outsd");
				_t1091 =  *_t1090 * 0x28020600;
				if (_t1091 >= 0) goto L38;
				 *_t1749 =  *_t1749 + _t1091;
				asm("outsd");
				_t1092 =  *_t1091 * 0;
				_push(es);
				_t1327 = _t1326 +  *_t1092;
				if (_t1327 >= 0) goto L39;
				 *_t1749 =  *_t1749 + _t1092;
				asm("outsd");
				asm("insd");
				 *_t1092 =  *_t1092 + _t1092;
				_push(es);
				_t1328 = _t1327 +  *_t1092;
				if (_t1328 >= 0) goto L40;
				 *_t1749 =  *_t1749 + _t1092;
				asm("outsd");
				asm("outsd");
				 *_t1092 =  *_t1092 + _t1092;
				_push(es);
				_t1329 = _t1328 +  *((intOrPtr*)(_t1745 + 0x60));
				 *_t1092 =  *_t1092 + _t1092;
				_push(es);
				 *_t1694 =  *_t1694 - _t1295;
				 *_t1749 =  *_t1749 + _t1092;
				do {
					_push(es);
					_t1330 = _t1329 +  *_t1092;
					if (_t1330 != 0) goto L42;
					 *_t1749 =  *_t1749 + _t1092;
					 *_t1092 =  *_t1092 + _t1092;
					ss = es;
					 *((intOrPtr*)(_t1092 + _t1092)) =  *((intOrPtr*)(_t1092 + _t1092)) - _t1295;
					_push(es);
					_t1332 = _t1330 +  *((intOrPtr*)(_t1745 + 0x58)) +  *((intOrPtr*)(_t1745 + 0x58));
					 *_t1092 =  *_t1092 + _t1092;
					_push(es);
					if( *_t1092 < 0) {
						L49:
						_t1092 = _t1092 +  *_t1092;
						 *_t1745 =  *_t1745 + _t1295;
						asm("aaa");
						if( *_t1745 >= 0) {
							goto L58;
						} else {
							 *_t1092 =  *_t1092 + _t1092;
							_t1329 = _t1332 |  *_t1092;
							 *_t1092 =  *_t1092 + 0x6f020600;
							_pop(_t1278);
							 *_t1278 =  *_t1278 + _t1278;
							_push(es);
							_push(ss);
							 *((intOrPtr*)(_t1694 + 0x2060000)) =  *((intOrPtr*)(_t1694 + 0x2060000)) - _t1278;
							goto L51;
						}
					} else {
						 *_t1092 =  *_t1092 + _t1092;
						if( *_t1092 >= 0) {
							 *_t1092 =  *_t1092 + _t1092;
							_pop(ss);
							asm("sbb [esi], edx");
							 *_t1758 =  *_t1758 - _t1295;
							 *_t1749 =  *_t1749 + _t1092;
							 *_t1749 =  *_t1749 - _t1295;
							 *_t1749 =  *_t1749 + _t1092;
							 *_t1092 =  *_t1092 + _t1092;
							ds = es;
							ds = _t1092;
							_t1092 = _t1092 - 0x5373;
							_t1332 = _t1332 + 0x00000001 +  *((intOrPtr*)(_t1745 + 0x58)) |  *_t1092;
							if (_t1332 > 0) goto L46;
						}
						 *_t1092 =  *_t1092 + _t1092;
						 *_t1749 =  *_t1749 + _t1092;
						_t1332 = _t1332 +  *((intOrPtr*)(_t1745 + 0x58));
						 *_t1092 =  *_t1092 + _t1092;
						_push(es);
						if( *_t1092 < 0) {
							L58:
							_t1333 = _t1332 - 1;
							 *(_t1295 + 0x73000000) =  *(_t1295 + 0x73000000) & _t1092;
							_push(_t1295);
							 *_t1092 =  *_t1092 + _t1092;
							L59:
							_t1334 = _t1333 |  *_t1092;
							if (_t1334 > 0) goto L60;
							 *_t1749 =  *_t1749 + _t1092;
							_t1335 = _t1334 +  *((intOrPtr*)(_t1745 + 0x5a));
							 *_t1092 =  *_t1092 + _t1092;
							_push(es);
							if( *_t1092 < 0) {
								L54:
								asm("outsd");
								_pop(_t1696);
								 *_t1092 =  *_t1092 + _t1092;
								ss = es;
								 *((intOrPtr*)(_t1092 + _t1092)) =  *((intOrPtr*)(_t1092 + _t1092)) - _t1295;
								_push(es);
								_t1333 = _t1335 +  *((intOrPtr*)(_t1745 + 0x5a));
								 *_t1092 =  *_t1092 + _t1092;
								_push(es);
								if( *_t1092 < 0) {
									goto L64;
								} else {
									 *_t1092 =  *_t1092 + _t1092;
									if( *_t1092 >= 0) {
										 *_t1092 =  *_t1092 + _t1092;
										_t1092 = _t1092 + 1;
										_t1688 = _t1333 + 1;
										_push(ss);
										asm("sbb [esi], edx");
										 *_t1758 =  *_t1758 - _t1295;
										 *_t1749 =  *_t1749 + _t1092;
										L57:
										 *_t1749 =  *_t1749 - _t1295;
										 *_t1749 =  *_t1749 + _t1092;
										_t1332 = _t1688 +  *((intOrPtr*)(_t1745 + 0x5a));
										 *_t1092 =  *_t1092 + _t1092;
										ds = es;
										goto L58;
									}
									goto L59;
								}
							} else {
								 *_t1092 =  *_t1092 + _t1092;
								if( *_t1092 < 0) {
									L66:
									asm("outsd");
									_pop(_t1697);
									 *_t1092 =  *_t1092 + _t1092;
									_push(es);
									if( *_t1092 < 0) {
										goto L63;
									} else {
										 *_t1092 =  *_t1092 + _t1092;
										if( *_t1092 < 0) {
											L71:
											 *_t1749 =  *_t1749 - _t1295;
											 *_t1749 =  *_t1749 + _t1092;
											_t1333 = _t1333 +  *((intOrPtr*)(_t1745 + 0x5c));
											 *_t1092 =  *_t1092 + _t1092;
											_push(es);
											 *(_t1758 + 0x20000000) =  *(_t1758 + 0x20000000) & _t1092;
											goto L72;
										} else {
											 *_t1092 =  *_t1092;
											_push(es);
											 *_t1092 =  *_t1092 + _t1092;
											ss = es;
											 *((intOrPtr*)(_t1092 + _t1092)) =  *((intOrPtr*)(_t1092 + _t1092)) - _t1295;
											_push(es);
											_t1336 = _t1333 +  *((intOrPtr*)(_t1745 + 0x5c)) +  *((intOrPtr*)(_t1745 + 0x5c));
											 *_t1092 =  *_t1092 + _t1092;
											_push(es);
											if( *_t1092 < 0) {
												_pop(_t1770);
												 *_t1092 =  *_t1092 + _t1092;
												_t1295 = _t1295 & _t1295;
												 *_t1092 =  *_t1092 + _t1092;
												 *_t1745 =  *_t1745 + _t1295;
												ds = es;
												if( *_t1745 >= 0) {
													L90:
													asm("adc al, [ecx]");
													 *_t1092 =  *_t1092 + _t1092;
													_t1697 = _t1697 & _t1092;
													 *_t1092 =  *_t1092 + _t1092;
													 *((intOrPtr*)(_t1295 + 0x53)) =  *((intOrPtr*)(_t1295 + 0x53)) + _t1697;
													goto L91;
												} else {
													 *_t1092 =  *_t1092 + _t1092;
													_t1683 = _t1336 |  *_t1092;
													 *_t1092 =  *_t1092 + 0x6f020600;
													 *_t1092 =  *_t1092 + _t1092;
													_push(es);
													asm("sbb [eax], ch");
													L80:
													 *_t1092 =  *_t1092;
													_t1683 = _t1683 +  *((intOrPtr*)(_t1745 + 0x5c));
													asm("outsd");
													_t1770 = es;
													 *_t1092 =  *_t1092 + _t1092;
													_push(es);
													if( *_t1092 < 0) {
														L95:
														_t1092 = _t1092 +  *_t1092;
														if(_t1092 < 0) {
															goto L99;
														} else {
															 *_t1092 =  *_t1092;
															_push(es);
															_t1336 = _t1683 +  *((intOrPtr*)(_t1745 + 0x5e));
															goto L97;
														}
													} else {
														_t1092 = _t1092 +  *_t1092;
														if(_t1092 < 0) {
															L89:
															 *_t1749 =  *_t1749 - _t1295;
															 *_t1749 =  *_t1749 + _t1092;
															_t1336 = _t1683 +  *((intOrPtr*)(_t1745 + 0x5e));
															 *_t1092 =  *_t1092 + _t1092;
															_push(es);
															 *_t1697 =  *_t1697 & _t1697;
															goto L90;
														} else {
															 *_t1092 =  *_t1092;
															_push(es);
															_t1333 = _t1683 +  *((intOrPtr*)(_t1745 + 0x5e));
															 *_t1092 =  *_t1092 + _t1092;
															ss = es;
															_t68 = _t1092 + _t1092;
															 *_t68 =  *((intOrPtr*)(_t1092 + _t1092)) - _t1295;
															_t1870 =  *_t68;
															if (_t1870 < 0) goto L86;
															 *_t1749 =  *_t1749 + _t1092;
															_t1336 = _t1333 +  *((intOrPtr*)(_t1745 + 0x5e));
															 *_t1092 =  *_t1092 + _t1092;
															_push(es);
															if( *_t1092 < 0) {
																L97:
																_pop(_t1750);
																 *_t1092 =  *_t1092 + _t1092;
																_t77 = _t1750 + 0x1f000000;
																 *_t77 =  *(_t1750 + 0x1f000000) & _t1092;
																ds = es;
																if( *_t77 < 0) {
																	 *_t1092 =  *_t1092 + _t1092;
																	 *_t1092 =  *_t1092 + 0x6f020600;
																	 *_t1092 =  *_t1092 + _t1092;
																	_push(es);
																	asm("sbb [eax], ebp");
																	 *_t1092 =  *_t1092;
																	_push(es);
																	_t1683 = (_t1336 |  *_t1092) +  *((intOrPtr*)(_t1745 + 0x5e));
																	L99:
																	asm("outsd");
																	_pop(_t1749);
																	 *_t1092 =  *_t1092 + _t1092;
																	_push(es);
																	if( *_t1092 < 0) {
																		_t1683 = _t1683 +  *((intOrPtr*)(_t1745 + 0x5e));
																		 *_t1092 =  *_t1092 + _t1092;
																		_push(es);
																		if( *_t1092 < 0) {
																			goto L80;
																		} else {
																			goto L95;
																		}
																	} else {
																		_t1092 = _t1092 +  *_t1092;
																		if(_t1092 >= 0) {
																			 *_t1092 =  *_t1092;
																			_push(es);
																			_t1684 = _t1683 +  *((intOrPtr*)(_t1745 + 0x60));
																			 *_t1092 =  *_t1092 + _t1092;
																			_push(es);
																			 *_t1758 =  *_t1758 - _t1697;
																			 *_t1092 =  *_t1092 + _t1092;
																			 *_t1749 =  *_t1749 + _t1092;
																			_t1683 = (_t1684 |  *_t1092) +  *((intOrPtr*)(_t1745 + 0x60));
																			 *_t1092 =  *_t1092 + _t1092;
																			_push(es);
																			 *((intOrPtr*)(_t1758 + 0x2060000)) =  *((intOrPtr*)(_t1758 + 0x2060000)) - _t1092;
																			asm("outsd");
																			asm("bound eax, [eax]");
																			 *_t1749 =  *_t1749 + _t1092;
																			 *((intOrPtr*)(_t1749 + 0x2060000)) =  *((intOrPtr*)(_t1749 + 0x2060000)) - _t1092;
																		}
																		 *_t1749 =  *_t1749 + _t1092;
																		_t1336 = _t1683 +  *((intOrPtr*)(_t1745 + 0x60));
																		 *_t1092 =  *_t1092 + _t1092;
																		_push(es);
																		 *((intOrPtr*)(_t1758 + 0x2060000)) =  *((intOrPtr*)(_t1758 + 0x2060000)) - _t1092;
																	}
																}
															} else {
																 *_t1092 =  *_t1092 + _t1092;
																if( *_t1092 >= 0) {
																	 *_t1092 =  *_t1092 + _t1092;
																	_t1092 = _t1092 &  *(_t1336 + 0x17);
																	asm("sbb [esi], edx");
																	 *_t1758 =  *_t1758 - _t1295;
																	 *_t1749 =  *_t1749 + _t1092;
																	goto L89;
																}
																L91:
																_push(_t1295);
															}
														}
													}
												}
											} else {
												 *_t1092 =  *_t1092 + _t1092;
												if( *_t1092 >= 0) {
													 *_t1092 =  *_t1092 + _t1092;
													_t1092 = _t1092 &  *(_t1336 + 0x16);
													asm("sbb [esi], edx");
													 *_t1758 =  *_t1758 - _t1295;
													 *_t1749 =  *_t1749 + _t1092;
													goto L71;
												}
												goto L73;
											}
										}
									}
								} else {
									 *_t1092 =  *_t1092;
									_push(es);
									_t1333 = _t1335 +  *((intOrPtr*)(_t1745 + 0x5a));
									L63:
									_pop(_t1696);
									 *_t1092 =  *_t1092 + _t1092;
									L64:
									 *(_t1758 + 2) =  *(_t1758 + 2) & _t1092;
									 *_t1092 =  *_t1092 + _t1092;
									ds = es;
									_t1697 = _t1696 - 1;
									if(_t1697 >= 0) {
										L72:
										asm("movsd");
										 *_t1092 =  *_t1092 + _t1092;
										 *_t1092 =  *_t1092 + _t1092;
										_t1092 = _t1092 +  *_t1333;
										 *_t1092 =  *_t1092 + _t1092;
										if ( *_t1092 >= 0) goto L85;
										L73:
										_push(_t1295);
									} else {
										 *_t1092 =  *_t1092 + _t1092;
										_t1333 = _t1333 |  *_t1092;
										 *_t1092 =  *_t1092 + 0x6f020600;
										_pop(_t1741);
										 *_t1092 =  *_t1092 + _t1092;
										ss = es;
										 *((intOrPtr*)(_t1741 + 0x2060000)) =  *((intOrPtr*)(_t1741 + 0x2060000)) - _t1092;
										goto L66;
									}
								}
							}
						} else {
							 *_t1092 =  *_t1092 + _t1092;
							if( *_t1092 < 0) {
								goto L51;
							} else {
								 *_t1092 =  *_t1092;
								_push(es);
								_t1332 = _t1332 +  *((intOrPtr*)(_t1745 + 0x58));
								 *_t1092 =  *_t1092 + _t1092;
								_push(es);
								 *(_t1745 + 0x1f000002) =  *(_t1745 + 0x1f000002) & _t1694;
								goto L49;
							}
						}
					}
					L104:
					_push(es);
					_t1337 = _t1336 +  *((intOrPtr*)(_t1745 + 0x64));
					 *_t1092 =  *_t1092 + _t1092;
					_push(es);
					 *((intOrPtr*)(_t1750 + 0x2060000)) =  *((intOrPtr*)(_t1750 + 0x2060000)) - _t1092;
					while(1) {
						asm("outsd");
						asm("pushad");
						 *_t1092 =  *_t1092 + _t1092;
						_push(es);
						_t1697 = _t1697 & _t1697;
						 *_t1092 =  *_t1092 + _t1092;
						 *_t1092 =  *_t1092 + _t1092;
						 *_t1092 =  *_t1092 + _t1092;
						if( *_t1092 >= 0) {
							break;
						}
						 *_t1092 =  *_t1092 + _t1092;
						_t1680 = _t1337 |  *_t1092;
						if (_t1680 > 0) goto L107;
						 *_t1750 =  *_t1750 + _t1092;
						_t1337 = _t1680 +  *((intOrPtr*)(_t1745 + 0x60));
						 *_t1092 =  *_t1092 + _t1092;
						_push(es);
						if( *_t1092 < 0) {
							continue;
						} else {
							_t1277 = _t1092 +  *_t1092;
							if(_t1277 >= 0) {
								 *_t1277 =  *_t1277;
								_push(es);
								_t1681 = _t1337 +  *((intOrPtr*)(_t1745 + 0x60));
								 *_t1277 = _t1277 +  *_t1277;
								_push(es);
								 *_t1697 =  *_t1697 & _t1681;
								 *_t1277 = _t1277 +  *_t1277;
								 *_t1277 = _t1277 +  *_t1277;
								asm("pushfd");
								 *_t1277 = _t1277 +  *_t1277;
								 *((intOrPtr*)(_t1295 + 0x54)) =  *((intOrPtr*)(_t1295 + 0x54)) + _t1697;
								 *_t1277 = _t1277 +  *_t1277;
								_t1337 = _t1681 |  *_t1277;
								 *_t1277 =  *_t1277 + 0x6f020600;
								asm("pushad");
								 *_t1277 = _t1277 +  *_t1277;
								_push(es);
								asm("sbb ch, [eax]");
								 *_t1277 =  *_t1277;
							}
							 *_t1750 =  *_t1750 + _t1277;
							_t1337 = _t1337 +  *((intOrPtr*)(_t1745 + 0x60));
							 *_t1277 = _t1277 +  *_t1277;
							_push(es);
							_push(ss);
							 *((intOrPtr*)(_t1745 + 0x2060000)) =  *((intOrPtr*)(_t1745 + 0x2060000)) - _t1277;
							do {
								asm("outsd");
								asm("pushad");
								 *_t1277 = _t1277 +  *_t1277;
								_push(es);
							} while ( *_t1277 < 0);
							_t1092 = _t1277 +  *_t1277;
						}
						break;
					}
					 *((intOrPtr*)(_t1092 + 0x28)) =  *((intOrPtr*)(_t1092 + 0x28)) + _t1697;
					L51:
					asm("outsd");
					_pop(_t1092);
					 *_t1092 =  *_t1092 + _t1092;
					_push(es);
				} while ( *_t1092 < 0);
				 *_t1092 =  *_t1092 + _t1092;
				if( *_t1092 < 0) {
					goto L57;
				} else {
					 *_t1092 =  *_t1092;
					_push(es);
					_t1335 = _t1329 +  *((intOrPtr*)(_t1745 + 0x5a));
					goto L54;
				}
				goto L104;
			}







































































                                    0x00792a9a
                                    0x00792a9a
                                    0x00792a9a
                                    0x00792a9a
                                    0x00792a9a
                                    0x00792a9a
                                    0x00792a9c
                                    0x00792a9e
                                    0x00792adb
                                    0x00792adc
                                    0x00792ae0
                                    0x00792ae2
                                    0x00792ae4
                                    0x00792ae7
                                    0x00792ae9
                                    0x00792aed
                                    0x00792aed
                                    0x00792aee
                                    0x00792af0
                                    0x00792af2
                                    0x00792af4
                                    0x00792af6
                                    0x00792af7
                                    0x00792afb
                                    0x00792b00
                                    0x00792b02
                                    0x00792b04
                                    0x00792b06
                                    0x00792b08
                                    0x00792b0a
                                    0x00792b0c
                                    0x00792b13
                                    0x00792b15
                                    0x00792b17
                                    0x00792b19
                                    0x00792b1d
                                    0x00792b1f
                                    0x00792b21
                                    0x00792b23
                                    0x00792b26
                                    0x00792b28
                                    0x00792b2a
                                    0x00792b2e
                                    0x00792b31
                                    0x00792b33
                                    0x00792b34
                                    0x00792b35
                                    0x00792b37
                                    0x00792b3a
                                    0x00792b3c
                                    0x00792b3d
                                    0x00792b3e
                                    0x00792b40
                                    0x00792b42
                                    0x00792b44
                                    0x00792b46
                                    0x00000000
                                    0x00792b46
                                    0x00792aa0
                                    0x00792aa0
                                    0x00792aa2
                                    0x00792aa4
                                    0x00792aa7
                                    0x00792aa9
                                    0x00792aae
                                    0x00792ab0
                                    0x00792ab1
                                    0x00792ab3
                                    0x00792ab5
                                    0x00792ab6
                                    0x00792ab6
                                    0x00792abc
                                    0x00792abd
                                    0x00792abf
                                    0x00792ac1
                                    0x00792ac2
                                    0x00792ac4
                                    0x00792ac6
                                    0x00792ac7
                                    0x00792b47
                                    0x00792b47
                                    0x00792b48
                                    0x00792b4a
                                    0x00792b4d
                                    0x00792b4f
                                    0x00792b52
                                    0x00792b55
                                    0x00792b5c
                                    0x00792b5e
                                    0x00792b60
                                    0x00792b62
                                    0x00792b65
                                    0x00792b68
                                    0x00792b6a
                                    0x00792b6d
                                    0x00792b6f
                                    0x00792b72
                                    0x00792b73
                                    0x00792b78
                                    0x00792b7a
                                    0x00792b7c
                                    0x00792b7d
                                    0x00792b7e
                                    0x00792b7e
                                    0x00792b80
                                    0x00792b82
                                    0x00792b83
                                    0x00792b85
                                    0x00792ac9
                                    0x00792ac9
                                    0x00792aca
                                    0x00792acc
                                    0x00792ace
                                    0x00792acf
                                    0x00792ad1
                                    0x00792ad3
                                    0x00792ad5
                                    0x00792ad7
                                    0x00792ad9
                                    0x00000000
                                    0x00792ad9
                                    0x00792ac7
                                    0x00792b87
                                    0x00792b8d
                                    0x00792b8f
                                    0x00792b90
                                    0x00792b90
                                    0x00792b92
                                    0x00792b94
                                    0x00792b95
                                    0x00792b97
                                    0x00792b99
                                    0x00792b9a
                                    0x00792b9c
                                    0x00792b9e
                                    0x00792ba0
                                    0x00792ba1
                                    0x00792ba2
                                    0x00792ba5
                                    0x00792ba7
                                    0x00792ba9
                                    0x00792bab
                                    0x00792bad
                                    0x00792bae
                                    0x00792bb1
                                    0x00792bb1
                                    0x00792bb9
                                    0x00792bba
                                    0x00792bbc
                                    0x00792bbe
                                    0x00792bc1
                                    0x00792bc3
                                    0x00792bc8
                                    0x00792bcb
                                    0x00792bd0
                                    0x00792bd2
                                    0x00792bd3
                                    0x00792bd8
                                    0x00792bda
                                    0x00000000
                                    0x00792bdc
                                    0x00792bdc
                                    0x00792be1
                                    0x00792be2
                                    0x00792be2
                                    0x00792bda
                                    0x00792be3
                                    0x00792be5
                                    0x00792bea
                                    0x00792bea
                                    0x00792bee
                                    0x00792bf1
                                    0x00792bf3
                                    0x00792c30
                                    0x00792c32
                                    0x00792c35
                                    0x00792c37
                                    0x00792c39
                                    0x00792c3d
                                    0x00792c3e
                                    0x00792c41
                                    0x00792c45
                                    0x00792c4a
                                    0x00792c4c
                                    0x00792c4d
                                    0x00792c4f
                                    0x00792c51
                                    0x00792c52
                                    0x00792c54
                                    0x00792c55
                                    0x00792c57
                                    0x00792c59
                                    0x00792c5b
                                    0x00792c5c
                                    0x00792c5e
                                    0x00792c5f
                                    0x00792c62
                                    0x00792c64
                                    0x00792c66
                                    0x00792c67
                                    0x00000000
                                    0x00792c67
                                    0x00000000
                                    0x00792c59
                                    0x00792bf5
                                    0x00792bf5
                                    0x00792bf7
                                    0x00792c6b
                                    0x00792c6b
                                    0x00792c6e
                                    0x00792c71
                                    0x00792c72
                                    0x00792c73
                                    0x00792c74
                                    0x00792c76
                                    0x00792c77
                                    0x00792c79
                                    0x00792c7b
                                    0x00792c7d
                                    0x00792c7f
                                    0x00792c81
                                    0x00792c83
                                    0x00792c83
                                    0x00792c85
                                    0x00792c87
                                    0x00792c89
                                    0x00792c8b
                                    0x00792c8e
                                    0x00792c92
                                    0x00792c92
                                    0x00792bf9
                                    0x00792bfb
                                    0x00792bfe
                                    0x00792c03
                                    0x00792c04
                                    0x00792c07
                                    0x00792c09
                                    0x00792c0c
                                    0x00792c0e
                                    0x00792c11
                                    0x00792c12
                                    0x00792c15
                                    0x00792c17
                                    0x00792c1d
                                    0x00792c1f
                                    0x00792c25
                                    0x00792c27
                                    0x00792c2a
                                    0x00792c2c
                                    0x00792c2e
                                    0x00000000
                                    0x00792c2e
                                    0x00792bf7
                                    0x00792c94
                                    0x00792c96
                                    0x00792c98
                                    0x00792c9a
                                    0x00792c9c
                                    0x00792c9e
                                    0x00792ca0
                                    0x00792ca2
                                    0x00792ca5
                                    0x00792ca7
                                    0x00792ca7
                                    0x00792ca8
                                    0x00792caa
                                    0x00792cac
                                    0x00792cae
                                    0x00792cb0
                                    0x00792cb2
                                    0x00792cb4
                                    0x00792cb6
                                    0x00792cb8
                                    0x00792cba
                                    0x00792cbc
                                    0x00792cbf
                                    0x00792cc2
                                    0x00792cc4
                                    0x00792cc6
                                    0x00792cca
                                    0x00792ccc
                                    0x00792cce
                                    0x00792ccf
                                    0x00792cd0
                                    0x00792cd3
                                    0x00792cd5
                                    0x00792cd7
                                    0x00792cd9
                                    0x00792cda
                                    0x00792cdb
                                    0x00792cde
                                    0x00792ce0
                                    0x00792ce2
                                    0x00792ce4
                                    0x00792ce5
                                    0x00792ce6
                                    0x00792ce9
                                    0x00792ceb
                                    0x00792ced
                                    0x00792cef
                                    0x00792cf0
                                    0x00792cf1
                                    0x00792cf3
                                    0x00792cf4
                                    0x00792cf6
                                    0x00792cf8
                                    0x00792cfa
                                    0x00792cfb
                                    0x00792cfc
                                    0x00792cfe
                                    0x00792cff
                                    0x00792d01
                                    0x00792d03
                                    0x00792d05
                                    0x00792d06
                                    0x00792d08
                                    0x00792d0a
                                    0x00792d0c
                                    0x00792d0e
                                    0x00792d10
                                    0x00792d11
                                    0x00792d14
                                    0x00792d15
                                    0x00792d17
                                    0x00792d19
                                    0x00792d1b
                                    0x00792d1c
                                    0x00792d1f
                                    0x00792d20
                                    0x00792d22
                                    0x00792d24
                                    0x00792d26
                                    0x00792d27
                                    0x00792d2d
                                    0x00792d2f
                                    0x00792d31
                                    0x00792d32
                                    0x00792d35
                                    0x00792d36
                                    0x00792d38
                                    0x00792d3a
                                    0x00792d3c
                                    0x00792d3d
                                    0x00792d3e
                                    0x00792d40
                                    0x00792d41
                                    0x00792d43
                                    0x00792d45
                                    0x00792d47
                                    0x00792d48
                                    0x00792d49
                                    0x00792d4b
                                    0x00792d4c
                                    0x00792d4f
                                    0x00792d51
                                    0x00792d52
                                    0x00792d55
                                    0x00792d56
                                    0x00792d56
                                    0x00792d57
                                    0x00792d59
                                    0x00792d5b
                                    0x00792d60
                                    0x00792d63
                                    0x00792d64
                                    0x00792d68
                                    0x00792d69
                                    0x00792d6c
                                    0x00792d6e
                                    0x00792d6f
                                    0x00792db2
                                    0x00792db2
                                    0x00792db4
                                    0x00792db6
                                    0x00792db7
                                    0x00000000
                                    0x00792db9
                                    0x00792db9
                                    0x00792dbb
                                    0x00792dbd
                                    0x00792dc3
                                    0x00792dc4
                                    0x00792dc6
                                    0x00792dc7
                                    0x00792dc8
                                    0x00000000
                                    0x00792dc8
                                    0x00792d71
                                    0x00792d71
                                    0x00792d73
                                    0x00792d75
                                    0x00792d79
                                    0x00792d7a
                                    0x00792d7c
                                    0x00792d7f
                                    0x00792d81
                                    0x00792d84
                                    0x00792d89
                                    0x00792d8c
                                    0x00792d8e
                                    0x00792d8f
                                    0x00792d94
                                    0x00792d96
                                    0x00792d96
                                    0x00792d97
                                    0x00792d98
                                    0x00792d9a
                                    0x00792d9d
                                    0x00792d9f
                                    0x00792da0
                                    0x00792e0d
                                    0x00792e0d
                                    0x00792e0e
                                    0x00792e14
                                    0x00792e15
                                    0x00792e17
                                    0x00792e17
                                    0x00792e19
                                    0x00792e1b
                                    0x00792e1d
                                    0x00792e20
                                    0x00792e22
                                    0x00792e23
                                    0x00792dde
                                    0x00792dde
                                    0x00792ddf
                                    0x00792de0
                                    0x00792de3
                                    0x00792de4
                                    0x00792de8
                                    0x00792de9
                                    0x00792dec
                                    0x00792dee
                                    0x00792def
                                    0x00000000
                                    0x00792df1
                                    0x00792df1
                                    0x00792df3
                                    0x00792df5
                                    0x00792df7
                                    0x00792df8
                                    0x00792df9
                                    0x00792dfa
                                    0x00792dfc
                                    0x00792dff
                                    0x00792e01
                                    0x00792e01
                                    0x00792e04
                                    0x00792e06
                                    0x00792e09
                                    0x00792e0c
                                    0x00000000
                                    0x00792e0c
                                    0x00000000
                                    0x00792df3
                                    0x00792e25
                                    0x00792e25
                                    0x00792e27
                                    0x00792e51
                                    0x00792e51
                                    0x00792e52
                                    0x00792e53
                                    0x00792e55
                                    0x00792e56
                                    0x00000000
                                    0x00792e58
                                    0x00792e58
                                    0x00792e5a
                                    0x00792e84
                                    0x00792e84
                                    0x00792e87
                                    0x00792e89
                                    0x00792e8c
                                    0x00792e8e
                                    0x00792e8f
                                    0x00000000
                                    0x00792e5c
                                    0x00792e5c
                                    0x00792e5f
                                    0x00792e63
                                    0x00792e66
                                    0x00792e67
                                    0x00792e6b
                                    0x00792e6c
                                    0x00792e6f
                                    0x00792e71
                                    0x00792e72
                                    0x00792eb5
                                    0x00792eb6
                                    0x00792eb9
                                    0x00792ebb
                                    0x00792ebd
                                    0x00792ebf
                                    0x00792ec0
                                    0x00792f16
                                    0x00792f16
                                    0x00792f18
                                    0x00792f1a
                                    0x00792f1c
                                    0x00792f1e
                                    0x00000000
                                    0x00792ec2
                                    0x00792ec2
                                    0x00792ec4
                                    0x00792ec6
                                    0x00792ecd
                                    0x00792ecf
                                    0x00792ed0
                                    0x00792ed2
                                    0x00792ed2
                                    0x00792ed6
                                    0x00792ed7
                                    0x00792ed8
                                    0x00792ed9
                                    0x00792edb
                                    0x00792edc
                                    0x00792f31
                                    0x00792f31
                                    0x00792f33
                                    0x00000000
                                    0x00792f35
                                    0x00792f35
                                    0x00792f38
                                    0x00792f39
                                    0x00000000
                                    0x00792f39
                                    0x00792ede
                                    0x00792ede
                                    0x00792ee0
                                    0x00792f0a
                                    0x00792f0a
                                    0x00792f0d
                                    0x00792f0f
                                    0x00792f12
                                    0x00792f14
                                    0x00792f15
                                    0x00000000
                                    0x00792ee2
                                    0x00792ee2
                                    0x00792ee5
                                    0x00792ee6
                                    0x00792ee9
                                    0x00792eec
                                    0x00792eed
                                    0x00792eed
                                    0x00792eed
                                    0x00792eee
                                    0x00792ef0
                                    0x00792ef2
                                    0x00792ef5
                                    0x00792ef7
                                    0x00792ef8
                                    0x00792f3b
                                    0x00792f3b
                                    0x00792f3c
                                    0x00792f3f
                                    0x00792f3f
                                    0x00792f45
                                    0x00792f46
                                    0x00792f48
                                    0x00792f4c
                                    0x00792f53
                                    0x00792f55
                                    0x00792f56
                                    0x00792f58
                                    0x00792f5b
                                    0x00792f5c
                                    0x00792f5d
                                    0x00792f5d
                                    0x00792f5e
                                    0x00792f5f
                                    0x00792f61
                                    0x00792f62
                                    0x00792f29
                                    0x00792f2c
                                    0x00792f2e
                                    0x00792f2f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00792f64
                                    0x00792f64
                                    0x00792f66
                                    0x00792f68
                                    0x00792f6b
                                    0x00792f6c
                                    0x00792f6f
                                    0x00792f71
                                    0x00792f72
                                    0x00792f74
                                    0x00792f7a
                                    0x00792f7c
                                    0x00792f7f
                                    0x00792f81
                                    0x00792f82
                                    0x00792f88
                                    0x00792f89
                                    0x00792f8b
                                    0x00792f8d
                                    0x00792f8d
                                    0x00792f90
                                    0x00792f92
                                    0x00792f95
                                    0x00792f97
                                    0x00792f98
                                    0x00792f98
                                    0x00792f62
                                    0x00792efa
                                    0x00792efa
                                    0x00792efc
                                    0x00792efe
                                    0x00792f00
                                    0x00792f03
                                    0x00792f05
                                    0x00792f08
                                    0x00000000
                                    0x00792f08
                                    0x00792f20
                                    0x00792f20
                                    0x00792f20
                                    0x00792ef8
                                    0x00792ee0
                                    0x00792edc
                                    0x00792e74
                                    0x00792e74
                                    0x00792e76
                                    0x00792e78
                                    0x00792e7a
                                    0x00792e7d
                                    0x00792e7f
                                    0x00792e82
                                    0x00000000
                                    0x00792e82
                                    0x00000000
                                    0x00792e76
                                    0x00792e72
                                    0x00792e5a
                                    0x00792e29
                                    0x00792e29
                                    0x00792e2c
                                    0x00792e2d
                                    0x00792e2f
                                    0x00792e2f
                                    0x00792e30
                                    0x00792e32
                                    0x00792e33
                                    0x00792e36
                                    0x00792e38
                                    0x00792e39
                                    0x00792e3a
                                    0x00792e90
                                    0x00792e90
                                    0x00792e91
                                    0x00792e93
                                    0x00792e95
                                    0x00792e97
                                    0x00792e99
                                    0x00792e9a
                                    0x00792e9a
                                    0x00792e3c
                                    0x00792e3c
                                    0x00792e3e
                                    0x00792e40
                                    0x00792e46
                                    0x00792e47
                                    0x00792e4a
                                    0x00792e4b
                                    0x00000000
                                    0x00792e4b
                                    0x00792e3a
                                    0x00792e27
                                    0x00792da2
                                    0x00792da2
                                    0x00792da4
                                    0x00000000
                                    0x00792da6
                                    0x00792da6
                                    0x00792da9
                                    0x00792daa
                                    0x00792dad
                                    0x00792daf
                                    0x00792db0
                                    0x00000000
                                    0x00792db0
                                    0x00792da4
                                    0x00792da0
                                    0x00792f9c
                                    0x00792f9c
                                    0x00792f9d
                                    0x00792fa0
                                    0x00792fa2
                                    0x00792fa3
                                    0x00792fa9
                                    0x00792fa9
                                    0x00792faa
                                    0x00792fab
                                    0x00792fad
                                    0x00792fae
                                    0x00792fb0
                                    0x00792fb2
                                    0x00792fb6
                                    0x00792fb8
                                    0x00000000
                                    0x00000000
                                    0x00792fba
                                    0x00792fbc
                                    0x00792fbe
                                    0x00792fc0
                                    0x00792fc2
                                    0x00792fc5
                                    0x00792fc7
                                    0x00792fc8
                                    0x00000000
                                    0x00792fca
                                    0x00792fca
                                    0x00792fcc
                                    0x00792fce
                                    0x00792fd1
                                    0x00792fd2
                                    0x00792fd5
                                    0x00792fd7
                                    0x00792fd8
                                    0x00792fda
                                    0x00792fdc
                                    0x00792fde
                                    0x00792fdf
                                    0x00792fe1
                                    0x00792fe4
                                    0x00792fe6
                                    0x00792fe8
                                    0x00792fee
                                    0x00792fef
                                    0x00792ff1
                                    0x00792ff2
                                    0x00792ff4
                                    0x00792ff4
                                    0x00792ff6
                                    0x00792ff8
                                    0x00792ffb
                                    0x00792ffd
                                    0x00792ffe
                                    0x00792fff
                                    0x00793005
                                    0x00793005
                                    0x00793006
                                    0x00793007
                                    0x00793009
                                    0x00793009
                                    0x0079300c
                                    0x0079300c
                                    0x00000000
                                    0x00792fc8
                                    0x0079300d
                                    0x00792dce
                                    0x00792dce
                                    0x00792dcf
                                    0x00792dd0
                                    0x00792dd2
                                    0x00792dd2
                                    0x00792dd5
                                    0x00792dd7
                                    0x00000000
                                    0x00792dd9
                                    0x00792dd9
                                    0x00792ddc
                                    0x00792ddd
                                    0x00000000
                                    0x00792ddd
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485519399.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                    • Associated: 00000000.00000002.485512124.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.485626977.0000000000828000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_790000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 54c16988bc374efbe8984b744a0d422c9886ef6c69ca86c5214c3506f4c5c420
                                    • Instruction ID: e4bde77b2b9d13c9e7d3b6b0f8079352e180649373d1cdc18f2946681893bdfc
                                    • Opcode Fuzzy Hash: 54c16988bc374efbe8984b744a0d422c9886ef6c69ca86c5214c3506f4c5c420
                                    • Instruction Fuzzy Hash: 3633176104F7C22FDB134B346C756E67FB86E9322471E45CBE8C08B5A3E2181A69D376
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2E398 Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6f1360b412ff9521b9a7d15cea66dd371a8d54bf8db45fdb64c1d44c0475908
                                    • Instruction ID: 6d0aa52dcda6bbc0d7412577da06f2f9ee7f31cdf8e85593c043e973c9d01f53
                                    • Opcode Fuzzy Hash: d6f1360b412ff9521b9a7d15cea66dd371a8d54bf8db45fdb64c1d44c0475908
                                    • Instruction Fuzzy Hash: A212B7F16117468FD3B8CF6AE9882893F63B755328B904328D1711BAD9D7B4A1CACF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2C084 Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a7d4d0f5b89480d0a03cdf61189c0f0b2442bca6c2c42cb3298f42ca3e63739c
                                    • Instruction ID: 51ff953e3229c62846ea6e4ae3ed4be78804d6b6a9edccbb7ad21e5ad9db53a6
                                    • Opcode Fuzzy Hash: a7d4d0f5b89480d0a03cdf61189c0f0b2442bca6c2c42cb3298f42ca3e63739c
                                    • Instruction Fuzzy Hash: 28A18E32E00229CFCF15DFB5D8445DEBBB2FF85300B15856AE815BB221EB39A955DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2E388 Relevance: .2, Instructions: 221COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.485915940.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f20000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd3dedfe7938a50560df1cae8388c25107d97d975558dbab03ec0422a17664be
                                    • Instruction ID: 8d22285512c1184623f47fc5a8c76aafffa0d3818322e0d24628179f30fdc344
                                    • Opcode Fuzzy Hash: dd3dedfe7938a50560df1cae8388c25107d97d975558dbab03ec0422a17664be
                                    • Instruction Fuzzy Hash: 1CC12DB16117468ED3A8CF6AE9841897F73BB95328F504328D1716BAD8D7B470CACF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:5.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:19
                                    Total number of Limit Nodes:2
                                    execution_graph 5771 6451068 5772 6451078 5771->5772 5773 64510e5 5772->5773 5775 64515ba 5772->5775 5779 64515e0 5775->5779 5785 64515d9 5775->5785 5776 64515ce 5776->5773 5780 64515ed 5779->5780 5781 64515f1 5779->5781 5780->5776 5791 64517de 5781->5791 5794 64517f8 5781->5794 5782 6451611 5782->5776 5786 64515ed 5785->5786 5787 64515f1 5785->5787 5786->5776 5789 64517de TabbedTextOutA 5787->5789 5790 64517f8 TabbedTextOutA 5787->5790 5788 6451611 5788->5776 5789->5788 5790->5788 5792 64517f8 TabbedTextOutA 5791->5792 5792->5782 5795 6451800 TabbedTextOutA 5794->5795 5795->5782

                                    Executed Functions

                                    Function 064517DE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 26 64517de-6451823 TabbedTextOutA
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.721402619.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6450000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: TabbedText
                                    • String ID:
                                    • API String ID: 419215656-0
                                    • Opcode ID: c5e51ebcdb5af1d9657f277750cf73e396762a2027a876d7ce359ad765eec7f9
                                    • Instruction ID: 2dea4cd165df9a835f14b308d36583967bb99208d69b7410813c6ae66533f04e
                                    • Opcode Fuzzy Hash: c5e51ebcdb5af1d9657f277750cf73e396762a2027a876d7ce359ad765eec7f9
                                    • Instruction Fuzzy Hash: 72E06822B0D2408FD36A9368E415B1D7BB9EF86215F0600EBD50ECF293E8119C0543E3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064517F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 34 64517f8-6451823 TabbedTextOutA
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.721402619.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6450000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: TabbedText
                                    • String ID:
                                    • API String ID: 419215656-0
                                    • Opcode ID: cabef6675a42fe75c98bb5baddeea42557116dc9a463969da265188aaef1f6fd
                                    • Instruction ID: c29c76fc42165634c8b63d252b7e3cce43fad49e379ef0e631b04268c3b85ead
                                    • Opcode Fuzzy Hash: cabef6675a42fe75c98bb5baddeea42557116dc9a463969da265188aaef1f6fd
                                    • Instruction Fuzzy Hash: 77D0A731B18024DF57A866ACB414ABC33ADEBCD75531200ABED0BCB352ED526C0247E3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:10.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:104
                                    Total number of Limit Nodes:11
                                    execution_graph 20021 4c1fc50 20022 4c1fc9b WriteProcessMemory 20021->20022 20024 4c1fcec 20022->20024 20025 4c13e10 20028 4c13e30 20025->20028 20026 4c13e1b 20029 4c13e45 20028->20029 20030 4c13ecb 20029->20030 20031 4c1434f GetCurrentThreadId 20029->20031 20030->20026 20031->20030 20032 ab91f8 20033 ab9207 20032->20033 20036 ab92e0 20032->20036 20044 ab92f0 20032->20044 20037 ab9303 20036->20037 20038 ab931b 20037->20038 20052 ab9568 20037->20052 20056 ab9578 20037->20056 20038->20033 20039 ab9518 GetModuleHandleW 20041 ab9545 20039->20041 20040 ab9313 20040->20038 20040->20039 20041->20033 20045 ab9303 20044->20045 20046 ab931b 20045->20046 20050 ab9568 LoadLibraryExW 20045->20050 20051 ab9578 LoadLibraryExW 20045->20051 20046->20033 20047 ab9518 GetModuleHandleW 20049 ab9545 20047->20049 20048 ab9313 20048->20046 20048->20047 20049->20033 20050->20048 20051->20048 20053 ab958c 20052->20053 20054 ab95b1 20053->20054 20060 ab8dc0 20053->20060 20054->20040 20057 ab958c 20056->20057 20058 ab95b1 20057->20058 20059 ab8dc0 LoadLibraryExW 20057->20059 20058->20040 20059->20058 20061 ab9758 LoadLibraryExW 20060->20061 20063 ab97d1 20061->20063 20063->20054 20075 abb818 DuplicateHandle 20076 abb8ae 20075->20076 20077 abfb18 20078 abfb80 CreateWindowExW 20077->20078 20080 abfc3c 20078->20080 20080->20080 20081 ab6458 20082 ab6465 20081->20082 20084 ab51ac 20081->20084 20085 ab51b7 20084->20085 20088 ab542c 20085->20088 20087 ab6505 20087->20082 20089 ab5437 20088->20089 20092 ab545c 20089->20092 20091 ab65e2 20091->20087 20093 ab5467 20092->20093 20096 ab548c 20093->20096 20095 ab66e2 20095->20091 20098 ab5497 20096->20098 20097 ab6e3c 20097->20095 20098->20097 20100 abb31e 20098->20100 20101 abb349 20100->20101 20102 abb36d 20101->20102 20105 abb4d8 20101->20105 20109 abb4c7 20101->20109 20102->20097 20106 abb4e5 20105->20106 20108 abb51f 20106->20108 20113 ab9f94 20106->20113 20108->20102 20110 abb4e5 20109->20110 20111 ab9f94 2 API calls 20110->20111 20112 abb51f 20110->20112 20111->20112 20112->20102 20114 ab9f9f 20113->20114 20116 abc218 20114->20116 20117 abbdb4 20114->20117 20116->20116 20118 abbdbf 20117->20118 20119 ab548c 2 API calls 20118->20119 20120 abc287 20118->20120 20119->20120 20124 abe008 20120->20124 20130 abdff8 20120->20130 20121 abc2c0 20121->20116 20126 abe039 20124->20126 20127 abe086 20124->20127 20125 abe045 20125->20121 20126->20125 20136 abe341 20126->20136 20139 abe350 20126->20139 20127->20121 20132 abe039 20130->20132 20133 abe086 20130->20133 20131 abe045 20131->20121 20132->20131 20134 abe341 2 API calls 20132->20134 20135 abe350 2 API calls 20132->20135 20133->20121 20134->20133 20135->20133 20137 ab92f0 LoadLibraryExW GetModuleHandleW 20136->20137 20138 abe359 20137->20138 20138->20127 20140 ab92f0 LoadLibraryExW GetModuleHandleW 20139->20140 20141 abe359 20139->20141 20140->20141 20141->20127 20016 4c1fe08 20017 4c1fe49 ResumeThread 20016->20017 20018 4c1fe76 20017->20018 20019 abfd60 SetWindowLongW 20020 abfdcc 20019->20020 20064 abb5f0 GetCurrentProcess 20065 abb66a GetCurrentThread 20064->20065 20066 abb663 20064->20066 20067 abb6a0 20065->20067 20068 abb6a7 GetCurrentProcess 20065->20068 20066->20065 20067->20068 20071 abb6dd 20068->20071 20069 abb705 GetCurrentThreadId 20070 abb736 20069->20070 20071->20069 20072 4c1a8dc 20073 4c1b2f8 FindCloseChangeNotification 20072->20073 20074 4c1b35f 20073->20074

                                    Executed Functions

                                    Function 00ABB5E0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00ABB650
                                    • GetCurrentThread.KERNEL32 ref: 00ABB68D
                                    • GetCurrentProcess.KERNEL32 ref: 00ABB6CA
                                    • GetCurrentThreadId.KERNEL32 ref: 00ABB723
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 5a73962d180c89c40930f7aee7720ae95bfaa24c7bb48ee6ebb37ca9b651e5ff
                                    • Instruction ID: 7245a6c76211fbd0d918f9a6f0ec23412b312bf78452eb69b1f150a88b67a52a
                                    • Opcode Fuzzy Hash: 5a73962d180c89c40930f7aee7720ae95bfaa24c7bb48ee6ebb37ca9b651e5ff
                                    • Instruction Fuzzy Hash: 1D5165B0D002498FDB14CFA9D588BEEBBF4FF49304F24846AE449A7391D7B45844CB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABB5F0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00ABB650
                                    • GetCurrentThread.KERNEL32 ref: 00ABB68D
                                    • GetCurrentProcess.KERNEL32 ref: 00ABB6CA
                                    • GetCurrentThreadId.KERNEL32 ref: 00ABB723
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 3edd66c74c222811014e1d59fe6ba10bdf6a4d13b20aca27dc8c0a4080991b37
                                    • Instruction ID: 8b958895778222236b34c9edbf677ec98bbb96d8e6283f05ee6d7466423f9545
                                    • Opcode Fuzzy Hash: 3edd66c74c222811014e1d59fe6ba10bdf6a4d13b20aca27dc8c0a4080991b37
                                    • Instruction Fuzzy Hash: BF5153B0D002488FDB14CFAAD588BEEBBF4FF48304F248459E459A7390D7B4A844CB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04C13E30 Relevance: 1.9, APIs: 1, Instructions: 379COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 38 4c13e30-4c13e47 40 4c13e49-4c13e58 38->40 41 4c13eaa-4c13eb8 38->41 40->41 44 4c13e5a-4c13e66 call 4c12f00 40->44 45 4c13ecb-4c13ecd 41->45 46 4c13eba-4c13ec5 call 4c12e54 41->46 52 4c13e68-4c13e74 44->52 53 4c13e7a-4c13e96 44->53 152 4c13ecf call 4c13e30 45->152 153 4c13ecf call 4c141e9 45->153 46->45 54 4c13f8a-4c14002 46->54 51 4c13ed5-4c13ee4 59 4c13ee6-4c13ef7 call 4c12f10 51->59 60 4c13efc-4c13eff 51->60 52->53 61 4c13f00-4c13f3e 52->61 66 4c13f45-4c13f83 53->66 67 4c13e9c-4c13ea0 53->67 80 4c14004-4c1400a 54->80 81 4c1400b-4c14015 54->81 59->60 61->66 66->54 67->41 85 4c14251-4c1427d 81->85 86 4c1401b-4c14034 call 4c12f34 * 2 81->86 93 4c14284-4c142c0 85->93 86->93 94 4c1403a-4c1405c 86->94 113 4c14311-4c14338 93->113 114 4c142c2-4c142dd 93->114 101 4c1406d-4c1407c 94->101 102 4c1405e-4c1406c call 4c12f10 94->102 107 4c140a1-4c140c2 101->107 108 4c1407e-4c1409b 101->108 118 4c14112-4c1413a 107->118 119 4c140c4-4c140d5 107->119 108->107 120 4c1433a-4c1434d 113->120 121 4c1434f-4c14375 GetCurrentThreadId 113->121 150 4c1413d call 4c14511 118->150 151 4c1413d call 4c14520 118->151 127 4c14104-4c14108 119->127 128 4c140d7-4c140ef call 4c12f44 119->128 129 4c14385-4c14392 120->129 124 4c14377-4c1437d 121->124 125 4c1437e 121->125 124->125 125->129 127->118 138 4c140f1-4c140f2 128->138 139 4c140f4-4c14102 128->139 134 4c14140-4c14165 141 4c14167-4c1417c 134->141 142 4c141ab 134->142 138->139 139->127 139->128 141->142 145 4c1417e-4c141a1 141->145 142->85 145->142 149 4c141a3 145->149 149->142 150->134 151->134 152->51 153->51
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.600650098.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_4c10000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a9ed7b92ef4b46f90e6d2218326f35326e5f75550d067a289db1f48d02a8a6c2
                                    • Instruction ID: c16633c4f08f7fd54b560560777a0335c9d9ba8f1ad57767c7909eafd1d36cbf
                                    • Opcode Fuzzy Hash: a9ed7b92ef4b46f90e6d2218326f35326e5f75550d067a289db1f48d02a8a6c2
                                    • Instruction Fuzzy Hash: 8ED18C347002148FDB18EBB5C4549EEB3F6EF89314B2448A9D406EB7A1DB35ED42DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00AB92F0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 154 ab92f0-ab92f8 155 ab9303-ab9305 154->155 156 ab92fe call ab8d5c 154->156 157 ab931b-ab931f 155->157 158 ab9307 155->158 156->155 159 ab9333-ab9374 157->159 160 ab9321-ab932b 157->160 208 ab930d call ab9568 158->208 209 ab930d call ab9578 158->209 165 ab9381-ab938f 159->165 166 ab9376-ab937e 159->166 160->159 161 ab9313-ab9315 161->157 162 ab9450-ab9510 161->162 203 ab9518-ab9543 GetModuleHandleW 162->203 204 ab9512-ab9515 162->204 168 ab93b3-ab93b5 165->168 169 ab9391-ab9396 165->169 166->165 170 ab93b8-ab93bf 168->170 171 ab9398-ab939f call ab8d68 169->171 172 ab93a1 169->172 173 ab93cc-ab93d3 170->173 174 ab93c1-ab93c9 170->174 175 ab93a3-ab93b1 171->175 172->175 178 ab93e0-ab93e9 call ab8d78 173->178 179 ab93d5-ab93dd 173->179 174->173 175->170 184 ab93eb-ab93f3 178->184 185 ab93f6-ab93fb 178->185 179->178 184->185 187 ab9419-ab9426 185->187 188 ab93fd-ab9404 185->188 193 ab9449-ab944f 187->193 194 ab9428-ab9446 187->194 188->187 190 ab9406-ab9416 call ab8d88 call ab8d98 188->190 190->187 194->193 205 ab954c-ab9560 203->205 206 ab9545-ab954b 203->206 204->203 206->205 208->161 209->161
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00AB9536
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 7e831fb4534bd55f825f7cfe51d4d212b49bcbd022f79b5cde8bb01e5e286cef
                                    • Instruction ID: 392fd762a6c12c5ea4aaaca11a1223c96af053515552a801e8d45cd84a595c86
                                    • Opcode Fuzzy Hash: 7e831fb4534bd55f825f7cfe51d4d212b49bcbd022f79b5cde8bb01e5e286cef
                                    • Instruction Fuzzy Hash: B8711570A00B058FD724DF6AD0457ABBBF9BF88304F00892ED58A9BA51D735E945CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABFB0C Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 210 abfb0c-abfb7e 211 abfb89-abfb90 210->211 212 abfb80-abfb86 210->212 213 abfb9b-abfbd3 211->213 214 abfb92-abfb98 211->214 212->211 215 abfbdb-abfc3a CreateWindowExW 213->215 214->213 216 abfc3c-abfc42 215->216 217 abfc43-abfc7b 215->217 216->217 221 abfc88 217->221 222 abfc7d-abfc80 217->222 223 abfc89 221->223 222->221 223->223
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ABFC2A
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: a685e2aa8c5ad259c0302aa324645b08315cd7dfee3cefa6070f4721469fa5d8
                                    • Instruction ID: d1234153a4c2fa55be88e19b7d156c1aa20e1deed163cacf04a40a5993fa6df2
                                    • Opcode Fuzzy Hash: a685e2aa8c5ad259c0302aa324645b08315cd7dfee3cefa6070f4721469fa5d8
                                    • Instruction Fuzzy Hash: 8B51E3B1D003489FDB14CFA9D884ADEBFB5FF89314F24852AE815AB251D7719885CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABFB18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 224 abfb18-abfb7e 225 abfb89-abfb90 224->225 226 abfb80-abfb86 224->226 227 abfb9b-abfc3a CreateWindowExW 225->227 228 abfb92-abfb98 225->228 226->225 230 abfc3c-abfc42 227->230 231 abfc43-abfc7b 227->231 228->227 230->231 235 abfc88 231->235 236 abfc7d-abfc80 231->236 237 abfc89 235->237 236->235 237->237
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ABFC2A
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: e360460aeae2e56b70cc53842dbebf99f2f48d31df957457b3308126216b7de3
                                    • Instruction ID: ddabf5559e942d89534a099e7cfbd0b9dfa17b594550653652db902e6f0a7820
                                    • Opcode Fuzzy Hash: e360460aeae2e56b70cc53842dbebf99f2f48d31df957457b3308126216b7de3
                                    • Instruction Fuzzy Hash: 0A41C1B1D003089FDB14CFA9C984ADEBFB5FF48314F24862AE819AB251D7749985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABB810 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 238 abb810-abb8ac DuplicateHandle 239 abb8ae-abb8b4 238->239 240 abb8b5-abb8d2 238->240 239->240
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABB89F
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 0c2c89cf7b0eea779542857dd772287e657f28efa1bc350ad28e8ca0020ccaae
                                    • Instruction ID: 86ba361d7cc779defeaf9943fae8287f5c9ff1ce8d19b04aed730cd57a5ca6b6
                                    • Opcode Fuzzy Hash: 0c2c89cf7b0eea779542857dd772287e657f28efa1bc350ad28e8ca0020ccaae
                                    • Instruction Fuzzy Hash: 1A21F2B5D00248DFDB10CFA9D884AEEBBF8FF48324F14841AE854A3211D375A945CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04C1FC50 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 243 4c1fc50-4c1fca1 245 4c1fcb1-4c1fcea WriteProcessMemory 243->245 246 4c1fca3-4c1fcaf 243->246 247 4c1fcf3-4c1fd14 245->247 248 4c1fcec-4c1fcf2 245->248 246->245 248->247
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C1FCDD
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.600650098.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_4c10000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 40e59b50b84c4e3e41744401d71b1f1b021374285b5b1017721dfc54fd68adfe
                                    • Instruction ID: 6a1a1cba9ea00b1af56ca8174f47c0b1b99ef3fc0c072f9936f8be940afcddbe
                                    • Opcode Fuzzy Hash: 40e59b50b84c4e3e41744401d71b1f1b021374285b5b1017721dfc54fd68adfe
                                    • Instruction Fuzzy Hash: D32114B59002499FCB10CFAAD884BDEBBF5FF49314F10842EE818A3250D778A944DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABB818 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 250 abb818-abb8ac DuplicateHandle 251 abb8ae-abb8b4 250->251 252 abb8b5-abb8d2 250->252 251->252
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABB89F
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: d4c34c843aa81b6329eed550aa075841be0b039473586d20b865c79262b23472
                                    • Instruction ID: 8503439c1ee2cb7ca90149c473141a3959ed1a9ee7638834aba77ff4a5deb4bc
                                    • Opcode Fuzzy Hash: d4c34c843aa81b6329eed550aa075841be0b039473586d20b865c79262b23472
                                    • Instruction Fuzzy Hash: FC21C4B5900248DFDB10CFA9D984AEEBBF8FF48324F14841AE954A7350D375A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00AB8DC0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 255 ab8dc0-ab9798 257 ab979a-ab979d 255->257 258 ab97a0-ab97cf LoadLibraryExW 255->258 257->258 259 ab97d8-ab97f5 258->259 260 ab97d1-ab97d7 258->260 260->259
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AB95B1,00000800,00000000,00000000), ref: 00AB97C2
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: a18312522f5a9da83e86b62584671e4a10a52f04f64f9f6b7d6dfa919bc5e0ae
                                    • Instruction ID: f79303ddb43bde9094fc99fbbbacdcefe361fd3fb02c5a7716306c43618be0fb
                                    • Opcode Fuzzy Hash: a18312522f5a9da83e86b62584671e4a10a52f04f64f9f6b7d6dfa919bc5e0ae
                                    • Instruction Fuzzy Hash: 3A1114B69002488FCB10CF9AC484AEFFBF8EF88314F14842AD519A7600C775A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00AB9750 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 263 ab9750-ab9798 265 ab979a-ab979d 263->265 266 ab97a0-ab97cf LoadLibraryExW 263->266 265->266 267 ab97d8-ab97f5 266->267 268 ab97d1-ab97d7 266->268 268->267
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AB95B1,00000800,00000000,00000000), ref: 00AB97C2
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: af7221bfb5dc5e89936d6c8f11b477e868942f1209f3dfe69b9d6e3aeacc8a0f
                                    • Instruction ID: 80e8be317cfb2095cb33177d8c266524b5ad15a80819b955a29a49b17e6f437e
                                    • Opcode Fuzzy Hash: af7221bfb5dc5e89936d6c8f11b477e868942f1209f3dfe69b9d6e3aeacc8a0f
                                    • Instruction Fuzzy Hash: 992103B68003499FCB14CF9AC884ADEFBF8FF89324F14842AD559A7640C775A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04C1A8DC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 271 4c1a8dc-4c1b35d FindCloseChangeNotification 273 4c1b366-4c1b38e 271->273 274 4c1b35f-4c1b365 271->274 274->273
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04C1B1A9,?,?), ref: 04C1B350
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.600650098.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_4c10000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: eb60d97fd929e143fe2ccb67e3cbbdbf395ef398d9d9d7757bf6954fa8ed81f1
                                    • Instruction ID: 69eb01450d6d59b5654c309aca3e9cd23c26422da1ff2916b960bb12e052839d
                                    • Opcode Fuzzy Hash: eb60d97fd929e143fe2ccb67e3cbbdbf395ef398d9d9d7757bf6954fa8ed81f1
                                    • Instruction Fuzzy Hash: 771116B58006098FCB10CF99C484BEEBBF4EF49324F148429D559A7640D778A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00AB94D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 277 ab94d0-ab9510 278 ab9518-ab9543 GetModuleHandleW 277->278 279 ab9512-ab9515 277->279 280 ab954c-ab9560 278->280 281 ab9545-ab954b 278->281 279->278 281->280
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00AB9536
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 87fc6e8b0e9c4f1728a42a37550bee69f6f05066d06a9e5d83c8c683d7a895a8
                                    • Instruction ID: 425ad9ebb789c3ac3f90811e35557e1b6ddb5d1fe773af62ecaecbea5ae37d27
                                    • Opcode Fuzzy Hash: 87fc6e8b0e9c4f1728a42a37550bee69f6f05066d06a9e5d83c8c683d7a895a8
                                    • Instruction Fuzzy Hash: 6411D2B6C006498FCB24CF9AD444ADEFBF8EF89324F14851AD519A7600D375A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABFD59 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 283 abfd59-abfdca SetWindowLongW 284 abfdcc-abfdd2 283->284 285 abfdd3-abfde7 283->285 284->285
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 00ABFDBD
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 2e4556b7a67f8d2118650648f9bba7ee73b3aa844137e812773990456326f4fd
                                    • Instruction ID: aed78cd37a12bb679db9b1e49d2289473b2cf05869d9dd8597f221f90db8248a
                                    • Opcode Fuzzy Hash: 2e4556b7a67f8d2118650648f9bba7ee73b3aa844137e812773990456326f4fd
                                    • Instruction Fuzzy Hash: 121103B58002488FDB10CF99D484BEFBBF8FB49324F24855AD859A7740C375A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABFD60 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 287 abfd60-abfdca SetWindowLongW 288 abfdcc-abfdd2 287->288 289 abfdd3-abfde7 287->289 288->289
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 00ABFDBD
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.583510425.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_ab0000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 4713789be536edec7c76f751341889ab94638cd0165130f2264270e0da40ce11
                                    • Instruction ID: 9fc926555528ccfa402ff86721f070e4632ca9874e67262f07a6c85ef04da8df
                                    • Opcode Fuzzy Hash: 4713789be536edec7c76f751341889ab94638cd0165130f2264270e0da40ce11
                                    • Instruction Fuzzy Hash: F81112B58002088FDB10CF9AD884BEEBBF8FB48324F14841AD819A7740C375A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04C1FE08 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.600650098.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_4c10000_5JbQqP8SDG.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 58cee7f52714f60c26761a5accb0917f44d062be2ebf587213e7d1dc6dfd563d
                                    • Instruction ID: 7178045a9d6f6ecfed17d21628b68f2731d410c52453df6eb1188698bbc548b6
                                    • Opcode Fuzzy Hash: 58cee7f52714f60c26761a5accb0917f44d062be2ebf587213e7d1dc6dfd563d
                                    • Instruction Fuzzy Hash: 6C1112B58002488FCB20CFAAD484BDEBBF8EF49324F14841AD419A7240C375A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:8.2%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:112
                                    Total number of Limit Nodes:7
                                    execution_graph 22823 7e86eab 22827 7e88a58 22823->22827 22830 7e88a60 22823->22830 22824 7e86ebc 22828 7e88aa8 VirtualProtect 22827->22828 22829 7e88ae2 22828->22829 22829->22824 22831 7e88aa8 VirtualProtect 22830->22831 22832 7e88ae2 22831->22832 22832->22824 22833 2f7b5f0 GetCurrentProcess 22834 2f7b663 22833->22834 22835 2f7b66a GetCurrentThread 22833->22835 22834->22835 22836 2f7b6a7 GetCurrentProcess 22835->22836 22837 2f7b6a0 22835->22837 22838 2f7b6dd 22836->22838 22837->22836 22839 2f7b705 GetCurrentThreadId 22838->22839 22840 2f7b736 22839->22840 22849 7e867e0 22851 7e88a58 VirtualProtect 22849->22851 22852 7e88a60 VirtualProtect 22849->22852 22850 7e867f1 22851->22850 22852->22850 22867 7e8fd40 22868 7e8fd88 SetThreadContext 22867->22868 22870 7e8fdc6 22868->22870 22871 7e8fe00 22872 7e8fe4b ReadProcessMemory 22871->22872 22873 7e8fe8e 22872->22873 22874 2f76458 22877 2f751ac 22874->22877 22876 2f76465 22878 2f751b7 22877->22878 22881 2f7542c 22878->22881 22880 2f76505 22880->22876 22882 2f75437 22881->22882 22885 2f7545c 22882->22885 22884 2f765e2 22884->22880 22886 2f75467 22885->22886 22889 2f7548c 22886->22889 22888 2f766e2 22888->22884 22890 2f75497 22889->22890 22892 2f76dfe 22890->22892 22895 2f791c0 22890->22895 22891 2f76e3c 22891->22888 22892->22891 22899 2f7b323 22892->22899 22904 2f791f8 22895->22904 22907 2f791e8 22895->22907 22896 2f791d6 22896->22892 22901 2f7b349 22899->22901 22900 2f7b36d 22900->22891 22901->22900 22931 2f7b4d1 22901->22931 22935 2f7b4d8 22901->22935 22911 2f792f0 22904->22911 22905 2f79207 22905->22896 22908 2f791f8 22907->22908 22910 2f792f0 2 API calls 22908->22910 22909 2f79207 22909->22896 22910->22909 22912 2f79303 22911->22912 22913 2f7931b 22912->22913 22919 2f79578 22912->22919 22923 2f79568 22912->22923 22913->22905 22914 2f79313 22914->22913 22915 2f79518 GetModuleHandleW 22914->22915 22916 2f79545 22915->22916 22916->22905 22920 2f7958c 22919->22920 22922 2f795b1 22920->22922 22927 2f78dc0 22920->22927 22922->22914 22924 2f79578 22923->22924 22925 2f795b1 22924->22925 22926 2f78dc0 LoadLibraryExW 22924->22926 22925->22914 22926->22925 22928 2f79758 LoadLibraryExW 22927->22928 22930 2f797d1 22928->22930 22930->22922 22932 2f7b4d8 22931->22932 22933 2f7b51f 22932->22933 22939 2f79f94 22932->22939 22933->22900 22936 2f7b4e5 22935->22936 22937 2f79f94 2 API calls 22936->22937 22938 2f7b51f 22936->22938 22937->22938 22938->22900 22940 2f79f9f 22939->22940 22942 2f7c218 22940->22942 22943 2f7bdb4 22940->22943 22942->22942 22944 2f7bdbf 22943->22944 22945 2f7548c 2 API calls 22944->22945 22946 2f7c287 22944->22946 22945->22946 22950 2f7e008 22946->22950 22956 2f7dff8 22946->22956 22947 2f7c2c0 22947->22942 22952 2f7e086 22950->22952 22953 2f7e039 22950->22953 22951 2f7e045 22951->22947 22952->22947 22953->22951 22961 2f7e341 22953->22961 22965 2f7e350 22953->22965 22958 2f7e008 22956->22958 22957 2f7e045 22957->22947 22958->22957 22959 2f7e341 2 API calls 22958->22959 22960 2f7e350 2 API calls 22958->22960 22959->22957 22960->22957 22962 2f7e350 22961->22962 22963 2f792f0 LoadLibraryExW GetModuleHandleW 22962->22963 22964 2f7e359 22963->22964 22964->22952 22966 2f792f0 LoadLibraryExW GetModuleHandleW 22965->22966 22967 2f7e359 22966->22967 22967->22952 22968 2f7b818 DuplicateHandle 22969 2f7b8ae 22968->22969 22970 2f7fb18 22971 2f7fb80 CreateWindowExW 22970->22971 22973 2f7fc3c 22971->22973 22865 2f7fd60 SetWindowLongW 22866 2f7fdcc 22865->22866 22974 7e8f9d0 22975 7e8fa4f CreateProcessW 22974->22975 22977 7e8fb38 22975->22977 22978 7e8fed0 22979 7e8ff13 VirtualAllocEx 22978->22979 22980 7e8ff4a 22979->22980

                                    Executed Functions

                                    Function 02F7B5E0 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 02F7B650
                                    • GetCurrentThread.KERNEL32 ref: 02F7B68D
                                    • GetCurrentProcess.KERNEL32 ref: 02F7B6CA
                                    • GetCurrentThreadId.KERNEL32 ref: 02F7B723
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 854fcc7b3a173bdd13e6c470d1af6907ba8f402b0f9b39358f36285759975271
                                    • Instruction ID: 126d1b3420a40bceac90eda8c091e4b00bc943d499b72b2e07a8ef93ff9bbae9
                                    • Opcode Fuzzy Hash: 854fcc7b3a173bdd13e6c470d1af6907ba8f402b0f9b39358f36285759975271
                                    • Instruction Fuzzy Hash: 3F5157B09053488FDB14CFA9D948BEEBBF5BF49308F2484AAE159A7290D7346844CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7B5F0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 02F7B650
                                    • GetCurrentThread.KERNEL32 ref: 02F7B68D
                                    • GetCurrentProcess.KERNEL32 ref: 02F7B6CA
                                    • GetCurrentThreadId.KERNEL32 ref: 02F7B723
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 4a8fb990ed179a44cf7a250d79152c1cabe8a8b48f57c2d08a17d01ec49bb752
                                    • Instruction ID: 0b9e79082212127456fb2ad833d68f9f1fa9ee6d6bc3ab3b5abbea8e27be6bde
                                    • Opcode Fuzzy Hash: 4a8fb990ed179a44cf7a250d79152c1cabe8a8b48f57c2d08a17d01ec49bb752
                                    • Instruction Fuzzy Hash: 5D5154B09002488FDB14CFAAD948BEEBBF5BF49308F24846AE059A7350D7346884CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F792F0 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 395 2f792f0-2f79305 call 2f78d5c 398 2f79307 395->398 399 2f7931b-2f7931f 395->399 450 2f7930d call 2f79578 398->450 451 2f7930d call 2f79568 398->451 400 2f79333-2f79374 399->400 401 2f79321-2f7932b 399->401 406 2f79376-2f7937e 400->406 407 2f79381-2f7938f 400->407 401->400 402 2f79313-2f79315 402->399 403 2f79450-2f794cc 402->403 443 2f794d6-2f79510 403->443 444 2f794ce-2f794d5 403->444 406->407 409 2f793b3-2f793b5 407->409 410 2f79391-2f79396 407->410 411 2f793b8-2f793bf 409->411 412 2f793a1 410->412 413 2f79398-2f7939f call 2f78d68 410->413 415 2f793c1-2f793c9 411->415 416 2f793cc-2f793d3 411->416 414 2f793a3-2f793b1 412->414 413->414 414->411 415->416 419 2f793d5-2f793dd 416->419 420 2f793e0-2f793e9 call 2f78d78 416->420 419->420 425 2f793f6-2f793fb 420->425 426 2f793eb-2f793f3 420->426 428 2f793fd-2f79404 425->428 429 2f79419-2f79426 425->429 426->425 428->429 431 2f79406-2f79416 call 2f78d88 call 2f78d98 428->431 435 2f79449-2f7944f 429->435 436 2f79428-2f79446 429->436 431->429 436->435 445 2f79512-2f79515 443->445 446 2f79518-2f79543 GetModuleHandleW 443->446 444->443 445->446 447 2f79545-2f7954b 446->447 448 2f7954c-2f79560 446->448 447->448 450->402 451->402
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02F79536
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: a9117f01e7a9f2d698fa52b3b631cee7473a8c9734843ffce4438d9a6db1482b
                                    • Instruction ID: b51fea88bc64323a47ede936057384907ac1f1da6453aabaa77533369a897f63
                                    • Opcode Fuzzy Hash: a9117f01e7a9f2d698fa52b3b631cee7473a8c9734843ffce4438d9a6db1482b
                                    • Instruction Fuzzy Hash: 83714270A00B048FDB64CF6AD5447AAB7F6BF88344F00892ED58ADBA40D775E805CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E8F9D0 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 452 7e8f9d0-7e8fa5b 454 7e8fa5d-7e8fa63 452->454 455 7e8fa66-7e8fa6d 452->455 454->455 456 7e8fa78-7e8fa8e 455->456 457 7e8fa6f-7e8fa75 455->457 458 7e8fa99-7e8fb36 CreateProcessW 456->458 459 7e8fa90-7e8fa96 456->459 457->456 461 7e8fb38-7e8fb3e 458->461 462 7e8fb3f-7e8fbb3 458->462 459->458 461->462 470 7e8fbc5-7e8fbcc 462->470 471 7e8fbb5-7e8fbbb 462->471 472 7e8fbce-7e8fbdd 470->472 473 7e8fbe3 470->473 471->470 472->473
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07E8FB23
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 6b92aaf17c738bde9fe87706cda0bd0baeefe2901dc12fc66539e3741628a75e
                                    • Instruction ID: ae283a5f07c0c1afd510eac928cfa6f4f28f8009450355200e86deae9412f5a1
                                    • Opcode Fuzzy Hash: 6b92aaf17c738bde9fe87706cda0bd0baeefe2901dc12fc66539e3741628a75e
                                    • Instruction Fuzzy Hash: C15106B1901329DFDB64DF95C880BDDBBB5BF49314F1484AAE40CA7250DB359A88CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7FB0C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 475 2f7fb0c-2f7fb7e 476 2f7fb80-2f7fb86 475->476 477 2f7fb89-2f7fb90 475->477 476->477 478 2f7fb92-2f7fb98 477->478 479 2f7fb9b-2f7fbd3 477->479 478->479 480 2f7fbdb-2f7fc3a CreateWindowExW 479->480 481 2f7fc43-2f7fc7b 480->481 482 2f7fc3c-2f7fc42 480->482 486 2f7fc7d-2f7fc80 481->486 487 2f7fc88 481->487 482->481 486->487 488 2f7fc89 487->488 488->488
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F7FC2A
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 9095794a3cdb876e24d70dcb26d7a82cd08beca0053b1d7c41e894634b46e62f
                                    • Instruction ID: 1e977bdb024577576ec33f424535e27e1dfe41d0e8bad6bad6663ba3a7fa5d2f
                                    • Opcode Fuzzy Hash: 9095794a3cdb876e24d70dcb26d7a82cd08beca0053b1d7c41e894634b46e62f
                                    • Instruction Fuzzy Hash: AD51D0B1D00309DFDF14CFA9C984ADEBBB5BF48354F24862AE819AB210D7749985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7FB18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 489 2f7fb18-2f7fb7e 490 2f7fb80-2f7fb86 489->490 491 2f7fb89-2f7fb90 489->491 490->491 492 2f7fb92-2f7fb98 491->492 493 2f7fb9b-2f7fc3a CreateWindowExW 491->493 492->493 495 2f7fc43-2f7fc7b 493->495 496 2f7fc3c-2f7fc42 493->496 500 2f7fc7d-2f7fc80 495->500 501 2f7fc88 495->501 496->495 500->501 502 2f7fc89 501->502 502->502
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F7FC2A
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 4dad445f5fdbb58ab573d79c1cc34b9b43bc58293fcdc8d31bf07752044cccae
                                    • Instruction ID: 9b1182941af4374f530130d6ef64f781f1c959cd09e28dcd17e55e9ab2462dfb
                                    • Opcode Fuzzy Hash: 4dad445f5fdbb58ab573d79c1cc34b9b43bc58293fcdc8d31bf07752044cccae
                                    • Instruction Fuzzy Hash: A441C0B1D00309DFDF14CFA9C984ADEBBB5BF48354F24862AE819AB210D7749985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7B810 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 503 2f7b810-2f7b812 504 2f7b818-2f7b8ac DuplicateHandle 503->504 505 2f7b8b5-2f7b8d2 504->505 506 2f7b8ae-2f7b8b4 504->506 506->505
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F7B89F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 92abc7c68e3166e435c1c1933c960d024ee95cd6043f68fad5cfbd96f893ee27
                                    • Instruction ID: 0d57973a99433562869cdbe03add87ca27235014cfa9ed7876619583f81560cb
                                    • Opcode Fuzzy Hash: 92abc7c68e3166e435c1c1933c960d024ee95cd6043f68fad5cfbd96f893ee27
                                    • Instruction Fuzzy Hash: 5221D2B59012089FDB10CFA9D984AEEBBF8FB49324F14842AE954A3210D374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7B818 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 509 2f7b818-2f7b8ac DuplicateHandle 510 2f7b8b5-2f7b8d2 509->510 511 2f7b8ae-2f7b8b4 509->511 511->510
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F7B89F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: c0bb564416a0bc5530ee341596b5d92401d8833deb3a1bcf6ddc22fed292bcfc
                                    • Instruction ID: 77bd5e05acf47fb1d9df5881ec874bb68ed9a7ed5680cf7f47c85f759c3e92c1
                                    • Opcode Fuzzy Hash: c0bb564416a0bc5530ee341596b5d92401d8833deb3a1bcf6ddc22fed292bcfc
                                    • Instruction Fuzzy Hash: 2D21C4B5D012089FDB10CFA9D984AEEBBF9FB49324F14841AE954A3350D374A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E8FE00 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 514 7e8fe00-7e8fe8c ReadProcessMemory 516 7e8fe8e-7e8fe94 514->516 517 7e8fe95-7e8feb6 514->517 516->517
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E8FE7F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 85a589e58ab2639befdddb3d11b3af8078162177967102358509cff49a4a1375
                                    • Instruction ID: 39507765e86b714231edf079d87023599cff090459c8c3b84726eed603fad8aa
                                    • Opcode Fuzzy Hash: 85a589e58ab2639befdddb3d11b3af8078162177967102358509cff49a4a1375
                                    • Instruction Fuzzy Hash: C421E7B59013599FCB10DF9AD884BDEBBF4FF48324F14842AE958A7250D374A544CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E8FD40 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 519 7e8fd40-7e8fd8c 521 7e8fd98-7e8fdc4 SetThreadContext 519->521 522 7e8fd8e-7e8fd96 519->522 523 7e8fdcd-7e8fdee 521->523 524 7e8fdc6-7e8fdcc 521->524 522->521 524->523
                                    APIs
                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 07E8FDB7
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: 42ca6dd203c26ad32c1793f90d42585329eec653a50248f3a9ce38f88004e89a
                                    • Instruction ID: 6a320ef86420f94fd634ca57222a7a876ed1570c0577c431f9d40c73c5f4243f
                                    • Opcode Fuzzy Hash: 42ca6dd203c26ad32c1793f90d42585329eec653a50248f3a9ce38f88004e89a
                                    • Instruction Fuzzy Hash: 4D211AB1D006199FCB10DF9AD845BEEFBF8BF49224F54812AD418B3340D778A9458FA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E88A58 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07E88AD3
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 12c5962d8dbfceb17c75220d60102b9a399d8f8544dee1671a313c54e54fafe3
                                    • Instruction ID: bdfd57877b97ea7bf167c9f9d1c40ee8b4ea6a60f17024f3a8ecd6101c54da09
                                    • Opcode Fuzzy Hash: 12c5962d8dbfceb17c75220d60102b9a399d8f8544dee1671a313c54e54fafe3
                                    • Instruction Fuzzy Hash: 432108B59002099FCB10CF99D985BDEBBF4FF48324F148429E858B7250D3789945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F79750 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F795B1,00000800,00000000,00000000), ref: 02F797C2
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 617d13b284d45b99b4f5ac47e33ba15553c3d6bf58587904de8668e691d40cfc
                                    • Instruction ID: bb80a26e98f521517e7c57480cc6b1084445e914d464c0b7cea11eb2e8802106
                                    • Opcode Fuzzy Hash: 617d13b284d45b99b4f5ac47e33ba15553c3d6bf58587904de8668e691d40cfc
                                    • Instruction Fuzzy Hash: 492117B6D002089FCB10CF9AC844ADEFBF9FF49364F15842AE959A7640C3B5A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E88A60 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07E88AD3
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 4aa5dd483be9dbab56979b729c4d0e6a1bfd88e51c18da93db9af7a415137e7f
                                    • Instruction ID: 3cbf8ae4ab97b518a4d564de4fbffefb62bc76c1f282e65de1b31db71bb851fe
                                    • Opcode Fuzzy Hash: 4aa5dd483be9dbab56979b729c4d0e6a1bfd88e51c18da93db9af7a415137e7f
                                    • Instruction Fuzzy Hash: 2021F9B59006099FCB10DF9AD484BDEFBF8FF48324F548429E858A7240D378A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F78DC0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F795B1,00000800,00000000,00000000), ref: 02F797C2
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: cd4767b888cb2827c8b8a32f3a9ff784de6a88c8bd741cbce50c9b872ab63a84
                                    • Instruction ID: ae5d51dee8bdbe20715be1e1606e4cf7bb4108f0d782f83050fc98feb2ef4793
                                    • Opcode Fuzzy Hash: cd4767b888cb2827c8b8a32f3a9ff784de6a88c8bd741cbce50c9b872ab63a84
                                    • Instruction Fuzzy Hash: 461114B6D002088FCB10CF9AC444AEEFBF9EB49364F14882AE555A7700C3B5A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07E8FED0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E8FF3B
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607916214.0000000007E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7e80000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 876b71416d28be058419d68603ea95ce72a9bbd239de8bf5e0eec799003e37f0
                                    • Instruction ID: bd296b31cfd4da8dd65648bc820faf3da4e65109379c8d4e02ecfb8940924031
                                    • Opcode Fuzzy Hash: 876b71416d28be058419d68603ea95ce72a9bbd239de8bf5e0eec799003e37f0
                                    • Instruction Fuzzy Hash: FB1122B6800249DFCB10DF9AD884BDEBBF8FF49324F148419E528A7210C335A954CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F794D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02F79536
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 34475b45ee0f085ff7f43ee7a736d8eef0c522f2d56a453916c73dee44067a5c
                                    • Instruction ID: 397e156f2330659b39e67906152479fb3cc33e3bdc696e2fe197d729d6b23014
                                    • Opcode Fuzzy Hash: 34475b45ee0f085ff7f43ee7a736d8eef0c522f2d56a453916c73dee44067a5c
                                    • Instruction Fuzzy Hash: 141110B6C002098FCB10CF9AD444BDEFBF8AF89224F14842AD929B7300C378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7FD59 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 02F7FDBD
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: c30ebea7e2bf6d5f5502e7d7eca632b5789a13a1df145fb2fce68b406f28b6d7
                                    • Instruction ID: ab2049c525c4d665995843292cc44b7f6c3b67f3e5a51116bf5cae1895b8abe6
                                    • Opcode Fuzzy Hash: c30ebea7e2bf6d5f5502e7d7eca632b5789a13a1df145fb2fce68b406f28b6d7
                                    • Instruction Fuzzy Hash: 8B1103B59003099FDB10DF99D484BEEBBF8FB48324F14851AE955A3700D374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02F7FD60 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 02F7FDBD
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.587311587.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2f70000_dhcpmon.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 758f892776216ad637291acc72ce0f5b5edaa175c9c1eb1f19fe28a2912e7c22
                                    • Instruction ID: 98438baeea27a65ecb83f91ab4f3d0cee33309488db25013332411d812535666
                                    • Opcode Fuzzy Hash: 758f892776216ad637291acc72ce0f5b5edaa175c9c1eb1f19fe28a2912e7c22
                                    • Instruction Fuzzy Hash: 5411E2B59002099FDB10DF9AD588BEFBBF8FB48324F14851AE959A7740C374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF06E8 Relevance: .3, Instructions: 293COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f8535cb9f393fbd80d548e5df6799f17c2cf29a043ace8306a7c04af6315e59d
                                    • Instruction ID: f3d33bbce7f6a4db4421d86fa62acdd3dd6295ad2baf24b3cefb63096628c19e
                                    • Opcode Fuzzy Hash: f8535cb9f393fbd80d548e5df6799f17c2cf29a043ace8306a7c04af6315e59d
                                    • Instruction Fuzzy Hash: 6BB17FB4B012049FDB14DBA4D594AAEBBF6EF89310F1540A9F615AB3A2CB71DD00CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF05B9 Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 24b347d8a8dd6676660c5dd0332955329df4bd656475e383db46455a6f16e52d
                                    • Instruction ID: 524e5b39541b44b99f8018d34ed89b7ab55ee84ac56939e60c7a52525b8f36df
                                    • Opcode Fuzzy Hash: 24b347d8a8dd6676660c5dd0332955329df4bd656475e383db46455a6f16e52d
                                    • Instruction Fuzzy Hash: 1E31CDB0B007018FCB59EB75C96066E77A2AFC9204B04847DE6598F392DF35DC05CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF05C8 Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab2a39a81a50485642fc8351c79e8df60f23b654237072ec91595ba7726b6ad6
                                    • Instruction ID: cb1afb863c757be5429eb3b515d6c41d4d17942f390fc93edb0d0d38b249eda2
                                    • Opcode Fuzzy Hash: ab2a39a81a50485642fc8351c79e8df60f23b654237072ec91595ba7726b6ad6
                                    • Instruction Fuzzy Hash: 2A31CEB0B007018BCB58EB79C85062E77A2AFC9704B04847CEA598F392DF75DC01CB96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02E9D3B4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586387573.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2e9d000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6665fa0008775f667184b092a3e2f7b4b8c4aa26f9ca017d08a8bb0d327635e4
                                    • Instruction ID: 8c2f07b1e0a8d4cae06df7a3a685ae56ce5440ee1f5680f79d008e6719d8875b
                                    • Opcode Fuzzy Hash: 6665fa0008775f667184b092a3e2f7b4b8c4aa26f9ca017d08a8bb0d327635e4
                                    • Instruction Fuzzy Hash: 952137B1544244DFDF09EF50DDC0FA6BBA9FB88328F24C56AE8050B246C336E856C7A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02EAD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586626472.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2ead000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75a4065517f654254ef6ed0cf6dca6e86df8ab43968060f3a65ca391455b1fcb
                                    • Instruction ID: abef1712737aa4ab746a3cf92c19a6b3ce8dd9b728a99508e2f2a94b18a32769
                                    • Opcode Fuzzy Hash: 75a4065517f654254ef6ed0cf6dca6e86df8ab43968060f3a65ca391455b1fcb
                                    • Instruction Fuzzy Hash: 79212571544240DFDB14CF20DCD5B66BBA6FB88318F24C96DD84A4F646C337E806CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02EAD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586626472.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2ead000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf5f0bdc22adf01ee8ed875b917e3b185040231b7e136a8f88184f2bd9060b6f
                                    • Instruction ID: 07e049cbe75c185a19ebac510506b9b92289d325332e8cd59b5c80259591d588
                                    • Opcode Fuzzy Hash: bf5f0bdc22adf01ee8ed875b917e3b185040231b7e136a8f88184f2bd9060b6f
                                    • Instruction Fuzzy Hash: 37212571544204DFDB04CF60D9D4B66BBA5FB88318F24C9ADE8094F641C336E806CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0C9B Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eebd1495e39d9deeebd18b92416ce98a179db636dd971aa67070e704715b14f8
                                    • Instruction ID: 1419b4fce742cff4d0fe8ca8e32ce1894660edba610b40b1d3de6e0a1b5771ff
                                    • Opcode Fuzzy Hash: eebd1495e39d9deeebd18b92416ce98a179db636dd971aa67070e704715b14f8
                                    • Instruction Fuzzy Hash: 2421DBB66093898FDB01DFA1C94096A7FF6EF46304B0594ABE128CB163C735D809CF22
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02EAD005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586626472.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2ead000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 95a7aa0b2a2c1ca60089ff9313197d842a438e231d50dea36c14de370b291b00
                                    • Instruction ID: e5e3fa4f5ad8f8771697eb8360a457a339b23378b62e306869b48ff07b83fab4
                                    • Opcode Fuzzy Hash: 95a7aa0b2a2c1ca60089ff9313197d842a438e231d50dea36c14de370b291b00
                                    • Instruction Fuzzy Hash: 862153755493C08FCB12CF24D9E4715BF71EB46214F28C5DAD8498F697C33A944ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02E9D3AF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586387573.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2e9d000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction ID: b535c6f8b3b5d789dc65abe0bb4fac4726cc0aab18dedb027934faca378bd360
                                    • Opcode Fuzzy Hash: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
                                    • Instruction Fuzzy Hash: AF110876444280CFCF15DF10D9C4B16BF71FB85328F28C6AAD8454B656C33AE45ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0348 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bcb3af1e0cdb40807c2029ba6bd2bb3543cee2dc9a47cd2e9381c938786151f7
                                    • Instruction ID: 4ac777ddbaa639e4c4ea6701072b447eb6fe250b7aacf0272025d3c8aca864ea
                                    • Opcode Fuzzy Hash: bcb3af1e0cdb40807c2029ba6bd2bb3543cee2dc9a47cd2e9381c938786151f7
                                    • Instruction Fuzzy Hash: 1F01A1B0714614DBC3388FAAE544637BBFAEBC5710B08881DF166C7706CB32E8468791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02EAD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586626472.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2ead000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbc4167c3c97515e31d18ccee52d8336f50c7ccc6e38931adc408a7337d2e844
                                    • Instruction ID: 55fb3d3591130898e01119c2f0b108c58ab7d17604f95bdb4b79152fe3276508
                                    • Opcode Fuzzy Hash: bbc4167c3c97515e31d18ccee52d8336f50c7ccc6e38931adc408a7337d2e844
                                    • Instruction Fuzzy Hash: 53118E75544280DFCB11CF50D9D4B15BB61FB84328F28C6A9D8494F656C33AE45ACB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0D69 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fee7b1fd9c7bf7459cb92189cee9a4127e210233034c6e26bbf3e8ff698d0bd3
                                    • Instruction ID: 268a7db72630d1f6e6ad663c526081f9a6dc9d6f1c1e99b314ed383e77f433dc
                                    • Opcode Fuzzy Hash: fee7b1fd9c7bf7459cb92189cee9a4127e210233034c6e26bbf3e8ff698d0bd3
                                    • Instruction Fuzzy Hash: FF11A1B6945345DFCB06DFA0C94069EBFB5AF45300F1080A7D124CB163C7349908CF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02E9D745 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586387573.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2e9d000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 697f0a74c35038f98653d5730fc32371092ba145f95f07602bd596915521415a
                                    • Instruction ID: 5006df5961cb3ae3c7bcbf64bcd82d7cbff3eb783029c368dc2fff895442001a
                                    • Opcode Fuzzy Hash: 697f0a74c35038f98653d5730fc32371092ba145f95f07602bd596915521415a
                                    • Instruction Fuzzy Hash: E701F775048350AAEB106A61CC84BE6BB9CEF41278F08D95BED151B242D37A9444CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02E9D744 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.586387573.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_2e9d000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c40ed2feef35e3576d8504f88e548a414dd44d62fd04cce9d45277a80c885dd0
                                    • Instruction ID: aadd8a8fd845a4ce1ec0931bd72f6fa7e0bcf0fd3505fcf06ea9a4f639766057
                                    • Opcode Fuzzy Hash: c40ed2feef35e3576d8504f88e548a414dd44d62fd04cce9d45277a80c885dd0
                                    • Instruction Fuzzy Hash: C7F0C272405244AEEB109E55CC88BA2FF9CEB41238F18C45BED081B286C37AA844CAB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF1531 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 028da8fcf9f973719d2d62893c0d9674b619507b7e617cf8c55296a91f99bc72
                                    • Instruction ID: 6176cbfd5fa32ae612a74eed8bac217f6f8b4bf858856fc8068ed392f3c8af6b
                                    • Opcode Fuzzy Hash: 028da8fcf9f973719d2d62893c0d9674b619507b7e617cf8c55296a91f99bc72
                                    • Instruction Fuzzy Hash: 4F01E4B0E4125A9FDB10DFAAC455ABEBFF1EB48211F14846AD52AE2241D7345141CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0C39 Relevance: .0, Instructions: 30COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71f4b3b244567c5893f368e5feb2398a4a382f1eec2f798032eb67f7c6617f27
                                    • Instruction ID: edf9a03099ad40fab50e83a6cc9d52cc50410b89cb82ead61a0094188de46c9c
                                    • Opcode Fuzzy Hash: 71f4b3b244567c5893f368e5feb2398a4a382f1eec2f798032eb67f7c6617f27
                                    • Instruction Fuzzy Hash: 16F0A0F1E402169EEB50DFAAD5047ABBFF5EF48300F10883AE119E7241DBB085458FA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF1540 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ea1bd5f5f8cc2eeb3fb786a54b0aceb9c0b9d70bf49b088f4c35738de2417a9
                                    • Instruction ID: 63dc073c11215560f112556df6bd62d93e01c000335da5e3f706ae23d79a050f
                                    • Opcode Fuzzy Hash: 4ea1bd5f5f8cc2eeb3fb786a54b0aceb9c0b9d70bf49b088f4c35738de2417a9
                                    • Instruction Fuzzy Hash: 6FF0F4B0E0421EDFCB44DFAAC5556BEBFF0AB08200F14846AE526E2241D7345240CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF15A8 Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d9168cbbd952d44d591d5b6866b66472aa119a850cb949b075845c6bd335d61
                                    • Instruction ID: 9403c21161ebf92d7f5f03354e686082deb963458d80af41eb995b71a94ba271
                                    • Opcode Fuzzy Hash: 0d9168cbbd952d44d591d5b6866b66472aa119a850cb949b075845c6bd335d61
                                    • Instruction Fuzzy Hash: 4DF0A0E0C8E3DADFC7025BD5D8281BA7FB0EF0A251F4940CAE1A2CA192C7784105CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0C48 Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 144dbd20386024f6fb8704dcfd141efbc094de884d68b13d6d7d7610166c0377
                                    • Instruction ID: 15ec7bffce719e68386b1db98dd0d07df2d53068328bfa9514f927dea7f27e9b
                                    • Opcode Fuzzy Hash: 144dbd20386024f6fb8704dcfd141efbc094de884d68b13d6d7d7610166c0377
                                    • Instruction Fuzzy Hash: E2E039F0D0021AAFD750EFAA890466BBEF8AF48250F104829E119E7201EBB085418BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07AF0DC0 Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.607101467.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7af0000_dhcpmon.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 017d568a9d08374ffc5aa55abe65a4a0086c290215c552750effe04f38144b97
                                    • Instruction ID: 04ad777adc06a745e1c0fdb919d411c63bd34fa754fd8478132b0ce6e3f8ce21
                                    • Opcode Fuzzy Hash: 017d568a9d08374ffc5aa55abe65a4a0086c290215c552750effe04f38144b97
                                    • Instruction Fuzzy Hash: 64D0ECB4C40309EFD750EFB9890139FBAF4BB04200F108966D124E6202EB7452008B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%