Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe

Overview

General Information

Sample Name:1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
Analysis ID:626643
MD5:7564920df8fdac8a30144d4297173194
SHA1:7e5451c6de3e46983c22ab6fe70eb0c6e5fc21da
SHA256:1da2baedb633fd4884fce89a2d9d8630c2e7af359fe7519f677ad64bcc162a61
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

  • System is w10x64
  • dhcpmon.exe (PID: 4684 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 7564920DF8FDAC8A30144D4297173194)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "9b13b828-50a9-4487-af40-2faff161", "Group": "Default", "Domain1": "6.tcp.ngrok.io", "Domain2": "6.tcp.ngrok.io", "Port": 10715, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xfef5:$x1: NanoCore Client
    • 0xff05:$x1: NanoCore Client
    • 0x1014d:$x2: NanoCore.ClientPlugin
    • 0x1018d:$x3: NanoCore.ClientPluginHost
    • 0x10142:$i1: IClientApp
    • 0x10163:$i2: IClientData
    • 0x1016f:$i3: IClientNetwork
    • 0x1017e:$i4: IClientAppHost
    • 0x101a7:$i5: IClientDataHost
    • 0x101b7:$i6: IClientLoggingHost
    • 0x101ca:$i7: IClientNetworkHost
    • 0x101dd:$i8: IClientUIHost
    • 0x101eb:$i9: IClientNameObjectCollection
    • 0x10207:$i10: IClientReadOnlyNameObjectCollection
    • 0xff54:$s1: ClientPlugin
    • 0x10156:$s1: ClientPlugin
    • 0x1064a:$s2: EndPoint
    • 0x10653:$s3: IPAddress
    • 0x1065d:$s4: IPEndPoint
    • 0x12093:$s6: get_ClientSettings
    • 0x12637:$s7: get_Connected
    1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.dhcpmon.exe.407e3c4.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xd9ad:$x1: NanoCore.ClientPluginHost
          • 0xd9da:$x2: IClientNetworkHost
          4.2.dhcpmon.exe.407e3c4.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xd9ad:$x2: NanoCore.ClientPluginHost
          • 0xea88:$s4: PipeCreated
          • 0xd9c7:$s5: IClientLoggingHost
          4.2.dhcpmon.exe.407e3c4.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            4.2.dhcpmon.exe.407e3c4.4.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
            • 0xd978:$x2: NanoCore.ClientPlugin
            • 0xd9ad:$x3: NanoCore.ClientPluginHost
            • 0xd96c:$i2: IClientData
            • 0xd98e:$i3: IClientNetwork
            • 0xd99d:$i5: IClientDataHost
            • 0xd9c7:$i6: IClientLoggingHost
            • 0xd9da:$i7: IClientNetworkHost
            • 0xd9ed:$i8: IClientUIHost
            • 0xd9fb:$i9: IClientNameObjectCollection
            • 0xda17:$i10: IClientReadOnlyNameObjectCollection
            • 0xd76a:$s1: ClientPlugin
            • 0xd981:$s1: ClientPlugin
            • 0x129a2:$s6: get_ClientSettings
            4.2.dhcpmon.exe.3053dc4.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe75:$x1: NanoCore.ClientPluginHost
            • 0xe8f:$x2: IClientNetworkHost
            Click to see the 30 entries

            Sigma Signatures

            AV Detection

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, ProcessId: 6948, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, ProcessId: 6948, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, ProcessId: 6948, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, ProcessId: 6948, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Snort Signatures

            Timestamp:192.168.2.318.189.106.4549758107152816718 05/14/22-18:53:45.756170
            SID:2816718
            Source Port:49758
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549757107152025019 05/14/22-18:53:40.189537
            SID:2025019
            Source Port:49757
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849794107152816766 05/14/22-18:54:36.688201
            SID:2816766
            Source Port:49794
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749806107152816766 05/14/22-18:54:41.730487
            SID:2816766
            Source Port:49806
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149848107152816766 05/14/22-18:54:51.648514
            SID:2816766
            Source Port:49848
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549854107152816766 05/14/22-18:55:01.842670
            SID:2816766
            Source Port:49854
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749883107152025019 05/14/22-18:55:26.161126
            SID:2025019
            Source Port:49883
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.140.223.749740107152025019 05/14/22-18:53:30.583587
            SID:2025019
            Source Port:49740
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149765107152025019 05/14/22-18:54:00.755092
            SID:2025019
            Source Port:49765
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.140.223.749740107152816766 05/14/22-18:53:30.746005
            SID:2816766
            Source Port:49740
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749806107152025019 05/14/22-18:54:41.230236
            SID:2025019
            Source Port:49806
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549759107152025019 05/14/22-18:53:50.228503
            SID:2025019
            Source Port:49759
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149756107152816766 05/14/22-18:53:35.773125
            SID:2816766
            Source Port:49756
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.177.149858107152025019 05/14/22-18:55:06.246494
            SID:2025019
            Source Port:49858
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549758107152025019 05/14/22-18:53:45.315185
            SID:2025019
            Source Port:49758
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.177.149858107152816766 05/14/22-18:55:06.694095
            SID:2816766
            Source Port:49858
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549854107152025019 05/14/22-18:55:01.397157
            SID:2025019
            Source Port:49854
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549886107152025019 05/14/22-18:55:35.481238
            SID:2025019
            Source Port:49886
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149770107152025019 05/14/22-18:54:06.080233
            SID:2025019
            Source Port:49770
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149781107152025019 05/14/22-18:54:15.860094
            SID:2025019
            Source Port:49781
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749884107152025019 05/14/22-18:55:30.861568
            SID:2025019
            Source Port:49884
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149785107152025019 05/14/22-18:54:25.617279
            SID:2025019
            Source Port:49785
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149836107152816766 05/14/22-18:54:46.608305
            SID:2816766
            Source Port:49836
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549791107152816766 05/14/22-18:54:31.286610
            SID:2816766
            Source Port:49791
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849853107152025019 05/14/22-18:54:56.252366
            SID:2025019
            Source Port:49853
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149783107152025019 05/14/22-18:54:20.769932
            SID:2025019
            Source Port:49783
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849874107152025019 05/14/22-18:55:11.701384
            SID:2025019
            Source Port:49874
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149756107152025019 05/14/22-18:53:35.332411
            SID:2025019
            Source Port:49756
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549880107152025019 05/14/22-18:55:16.679672
            SID:2025019
            Source Port:49880
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549880107152816766 05/14/22-18:55:17.122336
            SID:2816766
            Source Port:49880
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549882107152025019 05/14/22-18:55:21.440941
            SID:2025019
            Source Port:49882
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149836107152816718 05/14/22-18:54:46.418129
            SID:2816718
            Source Port:49836
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549882107152816766 05/14/22-18:55:21.882674
            SID:2816766
            Source Port:49882
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749776107152025019 05/14/22-18:54:11.046665
            SID:2025019
            Source Port:49776
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149765107152816766 05/14/22-18:54:00.902736
            SID:2816766
            Source Port:49765
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749760107152816766 05/14/22-18:53:55.476894
            SID:2816766
            Source Port:49760
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849794107152025019 05/14/22-18:54:36.540422
            SID:2025019
            Source Port:49794
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849874107152816766 05/14/22-18:55:12.139699
            SID:2816766
            Source Port:49874
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549757107152816766 05/14/22-18:53:40.555893
            SID:2816766
            Source Port:49757
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549758107152816766 05/14/22-18:53:45.756170
            SID:2816766
            Source Port:49758
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149785107152816766 05/14/22-18:54:25.912977
            SID:2816766
            Source Port:49785
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749776107152816766 05/14/22-18:54:11.487905
            SID:2816766
            Source Port:49776
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549759107152816766 05/14/22-18:53:50.666342
            SID:2816766
            Source Port:49759
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149783107152816766 05/14/22-18:54:21.223616
            SID:2816766
            Source Port:49783
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749760107152025019 05/14/22-18:53:55.034238
            SID:2025019
            Source Port:49760
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.132.159.15849853107152816766 05/14/22-18:54:56.699602
            SID:2816766
            Source Port:49853
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149781107152816766 05/14/22-18:54:16.302738
            SID:2816766
            Source Port:49781
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149770107152816766 05/14/22-18:54:06.525535
            SID:2816766
            Source Port:49770
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749884107152816766 05/14/22-18:55:31.304803
            SID:2816766
            Source Port:49884
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.318.189.106.4549791107152025019 05/14/22-18:54:30.845080
            SID:2025019
            Source Port:49791
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149836107152025019 05/14/22-18:54:46.122377
            SID:2025019
            Source Port:49836
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.142.21149848107152025019 05/14/22-18:54:51.048070
            SID:2025019
            Source Port:49848
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.33.141.210.3749883107152816766 05/14/22-18:55:26.602738
            SID:2816766
            Source Port:49883
            Destination Port:10715
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9b13b828-50a9-4487-af40-2faff161", "Group": "Default", "Domain1": "6.tcp.ngrok.io", "Domain2": "6.tcp.ngrok.io", "Port": 10715, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for submitted file
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMetadefender: Detection: 82%Perma Link
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeReversingLabs: Detection: 100%
            Antivirus / Scanner detection for submitted sample
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeAvira: detected
            Antivirus detection for URL or domain
            Source: 6.tcp.ngrok.ioAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 82%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 97%
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Machine Learning detection for sample
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.0.dhcpmon.exe.a30000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.2.dhcpmon.exe.a30000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 3.140.223.7:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49740 -> 3.140.223.7:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49756 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49757 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49758 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49758 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49759 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49760 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49765 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49770 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49776 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49781 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49781 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49783 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49785 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49785 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49791 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49791 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49794 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49794 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49806 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49806 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49836 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49836 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49836 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49848 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49848 -> 3.141.142.211:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49853 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49853 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49854 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49854 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49858 -> 3.141.177.1:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49858 -> 3.141.177.1:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49874 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49874 -> 3.132.159.158:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49880 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49880 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49882 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49882 -> 18.189.106.45:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49883 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49883 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49884 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49884 -> 3.141.210.37:10715
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49886 -> 18.189.106.45:10715
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 6.tcp.ngrok.io
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewIP Address: 3.141.142.211 3.141.142.211
            Source: Joe Sandbox ViewIP Address: 18.189.106.45 18.189.106.45
            Source: global trafficTCP traffic: 192.168.2.3:49740 -> 3.140.223.7:10715
            Source: global trafficTCP traffic: 192.168.2.3:49756 -> 3.141.142.211:10715
            Source: global trafficTCP traffic: 192.168.2.3:49757 -> 18.189.106.45:10715
            Source: global trafficTCP traffic: 192.168.2.3:49760 -> 3.141.210.37:10715
            Source: global trafficTCP traffic: 192.168.2.3:49794 -> 3.132.159.158:10715
            Source: global trafficTCP traffic: 192.168.2.3:49858 -> 3.141.177.1:10715
            Source: unknownDNS traffic detected: queries for: 6.tcp.ngrok.io
            Source: dhcpmon.exe, 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.2.dhcpmon.exe.3053dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.3053dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.2.dhcpmon.exe.3053dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.3053dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.3053dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00A3524A4_2_00A3524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_052238504_2_05223850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_052223A04_2_052223A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_05222FA84_2_05222FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0522306F4_2_0522306F
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeStatic PE information: Section: .rsrc ZLIB complexity 0.999352678571
            Source: dhcpmon.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.999352678571
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMetadefender: Detection: 82%
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile read: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeJump to behavior
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe "C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe"
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@2/4@26/7
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9b13b828-50a9-4487-af40-2faff161b8ef}
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A489E4 push edx; ret 0_3_00A48A53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeCode function: 0_3_00A4AF50 push edx; ret 0_3_00A4AF53
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.0.dhcpmon.exe.a30000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.2.dhcpmon.exe.a30000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeFile opened: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe TID: 6996Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe TID: 6992Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5864Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeWindow / User API: threadDelayed 355Jump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeWindow / User API: foregroundWindowGot 1207Jump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeBinary or memory string: Hyper-V RAW
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.293042675.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.255624504.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.415011056.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.457121820.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.370868279.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.358761592.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.260967686.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.260435353.0000000000A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeMemory allocated: page read and write | page guardJump to behavior
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.457121820.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.370868279.0000000000A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.282244184.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000003.275524638.0000000000A3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager,d
            Source: C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Detected Nanocore Rat
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe, 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe.0.drString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, type: SAMPLE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.40829ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407e3c4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.a30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.dhcpmon.exe.407958e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe PID: 6948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4684, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath Interception2
            Process Injection            		2
            Masquerading            		11
            Input Capture            		11
            Security Software Discovery            		Remote Services11
            Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Remote Access Software            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            System Information Discovery            		SSHKeyloggingData Transfer Size Limits11
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Hidden Files and Directories            		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Obfuscated Files or Information            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe83%MetadefenderBrowse
            1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe100%AviraTR/Dropper.MSIL.Gen7
            1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe83%MetadefenderBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe98%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe.300000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            4.0.dhcpmon.exe.a30000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            4.2.dhcpmon.exe.a30000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            6.tcp.ngrok.io100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            6.tcp.ngrok.io
            		3.140.223.7
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              6.tcp.ngrok.iotrue
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              3.141.142.211
              		unknownUnited States
              		16509AMAZON-02UStrue
              18.189.106.45
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.141.210.37
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.140.223.7
              		6.tcp.ngrok.ioUnited States
              		16509AMAZON-02UStrue
              3.141.177.1
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.132.159.158
              		unknownUnited States
              		16509AMAZON-02UStrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:626643
              Start date and time: 14/05/202218:52:252022-05-14 18:52:25 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 53s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:25
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@2/4@26/7
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 62
              • Number of non-executed functions: 3
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Execution Graph export aborted for target 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe, PID 6948 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • VT rate limit hit for: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              18:53:28API Interceptor1000x Sleep call for process: 1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe modified
              18:53:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              3.141.142.211CIx12bBt4K.exeGet hashmaliciousBrowse
                tUHkQzUI0S.exeGet hashmaliciousBrowse
                  saUWpDmCAr.exeGet hashmaliciousBrowse
                    hJA3F1SYM3.exeGet hashmaliciousBrowse
                      1B0hFDX5sb.exeGet hashmaliciousBrowse
                        eGK8IFYWXa.exeGet hashmaliciousBrowse
                          3a5vrOxEG1.exeGet hashmaliciousBrowse
                            fe1H9FU3S0.exeGet hashmaliciousBrowse
                              PV4Br3B2Al.exeGet hashmaliciousBrowse
                                3fn9W1PCb2.exeGet hashmaliciousBrowse
                                  uJ8lf89onF.exeGet hashmaliciousBrowse
                                    RjzwQ3x2aI.exeGet hashmaliciousBrowse
                                      u3yLVTfjxA.exeGet hashmaliciousBrowse
                                        E54v4BaKFB.exeGet hashmaliciousBrowse
                                          g75f6Oi2d2.exeGet hashmaliciousBrowse
                                            fQX06cCXO1.exeGet hashmaliciousBrowse
                                              v0lXekC6UC.exeGet hashmaliciousBrowse
                                                y3XwFCcaOy.exeGet hashmaliciousBrowse
                                                  1E55C31399AACC9290F92D5F269897A82C8674C3A5F2C.exeGet hashmaliciousBrowse
                                                    8jeJiEKWI3.exeGet hashmaliciousBrowse
                                                      18.189.106.45yGZ65uU0yj.exeGet hashmaliciousBrowse
                                                      • 6.tcp.ngrok.io:14876/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      6.tcp.ngrok.ioCIx12bBt4K.exeGet hashmaliciousBrowse
                                                      • 3.141.210.37
                                                      tUHkQzUI0S.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      yGZ65uU0yj.exeGet hashmaliciousBrowse
                                                      • 18.189.106.45
                                                      saUWpDmCAr.exeGet hashmaliciousBrowse
                                                      • 3.141.177.1
                                                      1B0hFDX5sb.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      eGK8IFYWXa.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      3a5vrOxEG1.exeGet hashmaliciousBrowse
                                                      • 3.132.159.158
                                                      fe1H9FU3S0.exeGet hashmaliciousBrowse
                                                      • 3.141.177.1
                                                      sUX4fpNib1.exeGet hashmaliciousBrowse
                                                      • 3.132.159.158
                                                      PV4Br3B2Al.exeGet hashmaliciousBrowse
                                                      • 3.132.159.158
                                                      UaBeNVuk.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      3fn9W1PCb2.exeGet hashmaliciousBrowse
                                                      • 3.141.177.1
                                                      uJ8lf89onF.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      RjzwQ3x2aI.exeGet hashmaliciousBrowse
                                                      • 3.141.177.1
                                                      u3yLVTfjxA.exeGet hashmaliciousBrowse
                                                      • 3.141.142.211
                                                      nOp7fjQyLd.exeGet hashmaliciousBrowse
                                                      • 3.141.177.1
                                                      E54v4BaKFB.exeGet hashmaliciousBrowse
                                                      • 3.132.159.158
                                                      H9c7Tcdkf8.exeGet hashmaliciousBrowse
                                                      • 3.140.223.7
                                                      g75f6Oi2d2.exeGet hashmaliciousBrowse
                                                      • 3.141.210.37
                                                      orcus.exeGet hashmaliciousBrowse
                                                      • 3.141.210.37

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      AMAZON-02US1RNa4Y6mPRGet hashmaliciousBrowse
                                                      • 99.81.68.111
                                                      3ybcb9P3wyGet hashmaliciousBrowse
                                                      • 52.193.42.170
                                                      xRjjWSOpzTGet hashmaliciousBrowse
                                                      • 44.240.142.240
                                                      k2hZRsiQCHGet hashmaliciousBrowse
                                                      • 54.233.11.250
                                                      zzVvuiyRQ1Get hashmaliciousBrowse
                                                      • 13.236.232.178
                                                      albouzechat build220513.exeGet hashmaliciousBrowse
                                                      • 3.121.139.82
                                                      63CYVWIouBGet hashmaliciousBrowse
                                                      • 13.232.173.25
                                                      7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exeGet hashmaliciousBrowse
                                                      • 52.217.9.132
                                                      SCINSE5BAK.exeGet hashmaliciousBrowse
                                                      • 3.13.191.225
                                                      M5VGS77ZYYGet hashmaliciousBrowse
                                                      • 18.134.54.218
                                                      IsQzUGbu7mGet hashmaliciousBrowse
                                                      • 44.252.140.191
                                                      sora.arm7Get hashmaliciousBrowse
                                                      • 54.127.156.255
                                                      sora.armGet hashmaliciousBrowse
                                                      • 108.143.162.126
                                                      0vFX7VXc9UGet hashmaliciousBrowse
                                                      • 18.132.24.3
                                                      uuC6SqiHEKGet hashmaliciousBrowse
                                                      • 54.118.15.136
                                                      Yhy1iNn3Z5Get hashmaliciousBrowse
                                                      • 184.77.138.26
                                                      NE8O7liu0sGet hashmaliciousBrowse
                                                      • 184.77.151.6
                                                      VC3SWrksszGet hashmaliciousBrowse
                                                      • 184.76.52.183
                                                      Tsunami.armGet hashmaliciousBrowse
                                                      • 184.169.138.20
                                                      INVOICE03800838-93U8REMIT903904989304.HTMLGet hashmaliciousBrowse
                                                      • 13.224.103.60
                                                      AMAZON-02US1RNa4Y6mPRGet hashmaliciousBrowse
                                                      • 99.81.68.111
                                                      3ybcb9P3wyGet hashmaliciousBrowse
                                                      • 52.193.42.170
                                                      xRjjWSOpzTGet hashmaliciousBrowse
                                                      • 44.240.142.240
                                                      k2hZRsiQCHGet hashmaliciousBrowse
                                                      • 54.233.11.250
                                                      zzVvuiyRQ1Get hashmaliciousBrowse
                                                      • 13.236.232.178
                                                      albouzechat build220513.exeGet hashmaliciousBrowse
                                                      • 3.121.139.82
                                                      63CYVWIouBGet hashmaliciousBrowse
                                                      • 13.232.173.25
                                                      7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exeGet hashmaliciousBrowse
                                                      • 52.217.9.132
                                                      SCINSE5BAK.exeGet hashmaliciousBrowse
                                                      • 3.13.191.225
                                                      M5VGS77ZYYGet hashmaliciousBrowse
                                                      • 18.134.54.218
                                                      IsQzUGbu7mGet hashmaliciousBrowse
                                                      • 44.252.140.191
                                                      sora.arm7Get hashmaliciousBrowse
                                                      • 54.127.156.255
                                                      sora.armGet hashmaliciousBrowse
                                                      • 108.143.162.126
                                                      0vFX7VXc9UGet hashmaliciousBrowse
                                                      • 18.132.24.3
                                                      uuC6SqiHEKGet hashmaliciousBrowse
                                                      • 54.118.15.136
                                                      Yhy1iNn3Z5Get hashmaliciousBrowse
                                                      • 184.77.138.26
                                                      NE8O7liu0sGet hashmaliciousBrowse
                                                      • 184.77.151.6
                                                      VC3SWrksszGet hashmaliciousBrowse
                                                      • 184.76.52.183
                                                      Tsunami.armGet hashmaliciousBrowse
                                                      • 184.169.138.20
                                                      INVOICE03800838-93U8REMIT903904989304.HTMLGet hashmaliciousBrowse
                                                      • 13.224.103.60

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):207360
                                                      Entropy (8bit):7.44673871085536
                                                      Encrypted:false
                                                      SSDEEP:6144:gLV6Bta6dtJmakIM5HlWUu5LYkO0TrWSB:gLV6BtpmkIlM5LYkO0TKM
                                                      MD5:7564920DF8FDAC8A30144D4297173194
                                                      SHA1:7E5451C6DE3E46983C22AB6FE70EB0C6E5FC21DA
                                                      SHA-256:1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE7519F677AD64BCC162A61
                                                      SHA-512:A208A85DAB10B37E344D5EBED56C05DD09C93EACC6AAAE610DD5D4E8E395A3788CBE6342C7000A27CBDCBCABED6E5043FABF5D796853794A9498AFDF0332D6F6
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                      • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Metadefender, Detection: 83%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 98%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ..p]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...p]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:Jtn:jn
                                                      MD5:24DE9846E6AE08C5DCA9BCDA9F509FC1
                                                      SHA1:CFA73A7289F9EC1FEC3DCDAB3B7D6FC788BF52B7
                                                      SHA-256:0EA4EE35E4DB371C1C0ACCC8D42C119750B93519D77263572574AD7EE2321E5B
                                                      SHA-512:BF56D6F04A2402E3B064ACE5B2FB0B3B8E201EBA90BF713430347063CE4D5736F23C07652B3E5FD0DC60BB533AF463A136BBB64DCC6ACE6EE98F7104A9D82B52
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview:..Z..6.H

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.44673871085536
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
                                                      File size:207360
                                                      MD5:7564920df8fdac8a30144d4297173194
                                                      SHA1:7e5451c6de3e46983c22ab6fe70eb0c6e5fc21da
                                                      SHA256:1da2baedb633fd4884fce89a2d9d8630c2e7af359fe7519f677ad64bcc162a61
                                                      SHA512:a208a85dab10b37e344d5ebed56c05dd09c93eacc6aaae610dd5d4e8e395a3788cbe6342c7000a27cbdcbcabed6e5043fabf5d796853794a9498afdf0332d6f6
                                                      SSDEEP:6144:gLV6Bta6dtJmakIM5HlWUu5LYkO0TrWSB:gLV6BtpmkIlM5LYkO0TKM
                                                      TLSH:4914BF5677E94A2FE2DE86B9602211128379C2E3E8C3F7DE28D454F78B267E406071D3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x41e792
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                      DLL Characteristics:
                                                      Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15d70.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x1c7980x1c800False0.594503837719data6.59807178823IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x220000x15d700x15e00False0.999352678571data7.99767001734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_RCDATA0x220580x15d18TIM image, (20535,52663)

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.318.189.106.4549758107152816718 05/14/22-18:53:45.756170TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4975810715192.168.2.318.189.106.45
                                                      192.168.2.318.189.106.4549757107152025019 05/14/22-18:53:40.189537TCP2025019ET TROJAN Possible NanoCore C2 60B4975710715192.168.2.318.189.106.45
                                                      192.168.2.33.132.159.15849794107152816766 05/14/22-18:54:36.688201TCP2816766ETPRO TROJAN NanoCore RAT CnC 74979410715192.168.2.33.132.159.158
                                                      192.168.2.33.141.210.3749806107152816766 05/14/22-18:54:41.730487TCP2816766ETPRO TROJAN NanoCore RAT CnC 74980610715192.168.2.33.141.210.37
                                                      192.168.2.33.141.142.21149848107152816766 05/14/22-18:54:51.648514TCP2816766ETPRO TROJAN NanoCore RAT CnC 74984810715192.168.2.33.141.142.211
                                                      192.168.2.318.189.106.4549854107152816766 05/14/22-18:55:01.842670TCP2816766ETPRO TROJAN NanoCore RAT CnC 74985410715192.168.2.318.189.106.45
                                                      192.168.2.33.141.210.3749883107152025019 05/14/22-18:55:26.161126TCP2025019ET TROJAN Possible NanoCore C2 60B4988310715192.168.2.33.141.210.37
                                                      192.168.2.33.140.223.749740107152025019 05/14/22-18:53:30.583587TCP2025019ET TROJAN Possible NanoCore C2 60B4974010715192.168.2.33.140.223.7
                                                      192.168.2.33.141.142.21149765107152025019 05/14/22-18:54:00.755092TCP2025019ET TROJAN Possible NanoCore C2 60B4976510715192.168.2.33.141.142.211
                                                      192.168.2.33.140.223.749740107152816766 05/14/22-18:53:30.746005TCP2816766ETPRO TROJAN NanoCore RAT CnC 74974010715192.168.2.33.140.223.7
                                                      192.168.2.33.141.210.3749806107152025019 05/14/22-18:54:41.230236TCP2025019ET TROJAN Possible NanoCore C2 60B4980610715192.168.2.33.141.210.37
                                                      192.168.2.318.189.106.4549759107152025019 05/14/22-18:53:50.228503TCP2025019ET TROJAN Possible NanoCore C2 60B4975910715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149756107152816766 05/14/22-18:53:35.773125TCP2816766ETPRO TROJAN NanoCore RAT CnC 74975610715192.168.2.33.141.142.211
                                                      192.168.2.33.141.177.149858107152025019 05/14/22-18:55:06.246494TCP2025019ET TROJAN Possible NanoCore C2 60B4985810715192.168.2.33.141.177.1
                                                      192.168.2.318.189.106.4549758107152025019 05/14/22-18:53:45.315185TCP2025019ET TROJAN Possible NanoCore C2 60B4975810715192.168.2.318.189.106.45
                                                      192.168.2.33.141.177.149858107152816766 05/14/22-18:55:06.694095TCP2816766ETPRO TROJAN NanoCore RAT CnC 74985810715192.168.2.33.141.177.1
                                                      192.168.2.318.189.106.4549854107152025019 05/14/22-18:55:01.397157TCP2025019ET TROJAN Possible NanoCore C2 60B4985410715192.168.2.318.189.106.45
                                                      192.168.2.318.189.106.4549886107152025019 05/14/22-18:55:35.481238TCP2025019ET TROJAN Possible NanoCore C2 60B4988610715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149770107152025019 05/14/22-18:54:06.080233TCP2025019ET TROJAN Possible NanoCore C2 60B4977010715192.168.2.33.141.142.211
                                                      192.168.2.33.141.142.21149781107152025019 05/14/22-18:54:15.860094TCP2025019ET TROJAN Possible NanoCore C2 60B4978110715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749884107152025019 05/14/22-18:55:30.861568TCP2025019ET TROJAN Possible NanoCore C2 60B4988410715192.168.2.33.141.210.37
                                                      192.168.2.33.141.142.21149785107152025019 05/14/22-18:54:25.617279TCP2025019ET TROJAN Possible NanoCore C2 60B4978510715192.168.2.33.141.142.211
                                                      192.168.2.33.141.142.21149836107152816766 05/14/22-18:54:46.608305TCP2816766ETPRO TROJAN NanoCore RAT CnC 74983610715192.168.2.33.141.142.211
                                                      192.168.2.318.189.106.4549791107152816766 05/14/22-18:54:31.286610TCP2816766ETPRO TROJAN NanoCore RAT CnC 74979110715192.168.2.318.189.106.45
                                                      192.168.2.33.132.159.15849853107152025019 05/14/22-18:54:56.252366TCP2025019ET TROJAN Possible NanoCore C2 60B4985310715192.168.2.33.132.159.158
                                                      192.168.2.33.141.142.21149783107152025019 05/14/22-18:54:20.769932TCP2025019ET TROJAN Possible NanoCore C2 60B4978310715192.168.2.33.141.142.211
                                                      192.168.2.33.132.159.15849874107152025019 05/14/22-18:55:11.701384TCP2025019ET TROJAN Possible NanoCore C2 60B4987410715192.168.2.33.132.159.158
                                                      192.168.2.33.141.142.21149756107152025019 05/14/22-18:53:35.332411TCP2025019ET TROJAN Possible NanoCore C2 60B4975610715192.168.2.33.141.142.211
                                                      192.168.2.318.189.106.4549880107152025019 05/14/22-18:55:16.679672TCP2025019ET TROJAN Possible NanoCore C2 60B4988010715192.168.2.318.189.106.45
                                                      192.168.2.318.189.106.4549880107152816766 05/14/22-18:55:17.122336TCP2816766ETPRO TROJAN NanoCore RAT CnC 74988010715192.168.2.318.189.106.45
                                                      192.168.2.318.189.106.4549882107152025019 05/14/22-18:55:21.440941TCP2025019ET TROJAN Possible NanoCore C2 60B4988210715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149836107152816718 05/14/22-18:54:46.418129TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4983610715192.168.2.33.141.142.211
                                                      192.168.2.318.189.106.4549882107152816766 05/14/22-18:55:21.882674TCP2816766ETPRO TROJAN NanoCore RAT CnC 74988210715192.168.2.318.189.106.45
                                                      192.168.2.33.141.210.3749776107152025019 05/14/22-18:54:11.046665TCP2025019ET TROJAN Possible NanoCore C2 60B4977610715192.168.2.33.141.210.37
                                                      192.168.2.33.141.142.21149765107152816766 05/14/22-18:54:00.902736TCP2816766ETPRO TROJAN NanoCore RAT CnC 74976510715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749760107152816766 05/14/22-18:53:55.476894TCP2816766ETPRO TROJAN NanoCore RAT CnC 74976010715192.168.2.33.141.210.37
                                                      192.168.2.33.132.159.15849794107152025019 05/14/22-18:54:36.540422TCP2025019ET TROJAN Possible NanoCore C2 60B4979410715192.168.2.33.132.159.158
                                                      192.168.2.33.132.159.15849874107152816766 05/14/22-18:55:12.139699TCP2816766ETPRO TROJAN NanoCore RAT CnC 74987410715192.168.2.33.132.159.158
                                                      192.168.2.318.189.106.4549757107152816766 05/14/22-18:53:40.555893TCP2816766ETPRO TROJAN NanoCore RAT CnC 74975710715192.168.2.318.189.106.45
                                                      192.168.2.318.189.106.4549758107152816766 05/14/22-18:53:45.756170TCP2816766ETPRO TROJAN NanoCore RAT CnC 74975810715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149785107152816766 05/14/22-18:54:25.912977TCP2816766ETPRO TROJAN NanoCore RAT CnC 74978510715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749776107152816766 05/14/22-18:54:11.487905TCP2816766ETPRO TROJAN NanoCore RAT CnC 74977610715192.168.2.33.141.210.37
                                                      192.168.2.318.189.106.4549759107152816766 05/14/22-18:53:50.666342TCP2816766ETPRO TROJAN NanoCore RAT CnC 74975910715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149783107152816766 05/14/22-18:54:21.223616TCP2816766ETPRO TROJAN NanoCore RAT CnC 74978310715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749760107152025019 05/14/22-18:53:55.034238TCP2025019ET TROJAN Possible NanoCore C2 60B4976010715192.168.2.33.141.210.37
                                                      192.168.2.33.132.159.15849853107152816766 05/14/22-18:54:56.699602TCP2816766ETPRO TROJAN NanoCore RAT CnC 74985310715192.168.2.33.132.159.158
                                                      192.168.2.33.141.142.21149781107152816766 05/14/22-18:54:16.302738TCP2816766ETPRO TROJAN NanoCore RAT CnC 74978110715192.168.2.33.141.142.211
                                                      192.168.2.33.141.142.21149770107152816766 05/14/22-18:54:06.525535TCP2816766ETPRO TROJAN NanoCore RAT CnC 74977010715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749884107152816766 05/14/22-18:55:31.304803TCP2816766ETPRO TROJAN NanoCore RAT CnC 74988410715192.168.2.33.141.210.37
                                                      192.168.2.318.189.106.4549791107152025019 05/14/22-18:54:30.845080TCP2025019ET TROJAN Possible NanoCore C2 60B4979110715192.168.2.318.189.106.45
                                                      192.168.2.33.141.142.21149836107152025019 05/14/22-18:54:46.122377TCP2025019ET TROJAN Possible NanoCore C2 60B4983610715192.168.2.33.141.142.211
                                                      192.168.2.33.141.142.21149848107152025019 05/14/22-18:54:51.048070TCP2025019ET TROJAN Possible NanoCore C2 60B4984810715192.168.2.33.141.142.211
                                                      192.168.2.33.141.210.3749883107152816766 05/14/22-18:55:26.602738TCP2816766ETPRO TROJAN NanoCore RAT CnC 74988310715192.168.2.33.141.210.37

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 14, 2022 18:53:30.152717113 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.300458908 CEST10715497403.140.223.7192.168.2.3
                                                      May 14, 2022 18:53:30.300592899 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.583586931 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.731373072 CEST10715497403.140.223.7192.168.2.3
                                                      May 14, 2022 18:53:30.731479883 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.745915890 CEST10715497403.140.223.7192.168.2.3
                                                      May 14, 2022 18:53:30.746005058 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.752690077 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:30.893910885 CEST10715497403.140.223.7192.168.2.3
                                                      May 14, 2022 18:53:30.894033909 CEST4974010715192.168.2.33.140.223.7
                                                      May 14, 2022 18:53:35.177712917 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.325093985 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.325269938 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.332411051 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.479594946 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.480998039 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.628302097 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.628876925 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.771130085 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.773124933 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.773258924 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.776134968 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.776266098 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:35.920591116 CEST10715497563.141.142.211192.168.2.3
                                                      May 14, 2022 18:53:35.920778036 CEST4975610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:53:40.026853085 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.174282074 CEST107154975718.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:40.174491882 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.189537048 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.336873055 CEST107154975718.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:40.336997986 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.484273911 CEST107154975718.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:40.555892944 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.629710913 CEST107154975718.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:40.629822016 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.631099939 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:40.703073025 CEST107154975718.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:40.703206062 CEST4975710715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.166917086 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.314317942 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.314440012 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.315185070 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.462436914 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.463409901 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.610654116 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.618048906 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.755908012 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.756170034 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.756222963 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.765223980 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.767869949 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:45.903568029 CEST107154975818.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:45.905920982 CEST4975810715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.075531006 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.223118067 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.223277092 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.228502989 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.375870943 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.376728058 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.524233103 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.524324894 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.664855957 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.666342020 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.666410923 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.671622992 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.673928976 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:50.813819885 CEST107154975918.189.106.45192.168.2.3
                                                      May 14, 2022 18:53:50.814275980 CEST4975910715192.168.2.318.189.106.45
                                                      May 14, 2022 18:53:54.885710001 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.033107042 CEST10715497603.141.210.37192.168.2.3
                                                      May 14, 2022 18:53:55.033243895 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.034238100 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.181597948 CEST10715497603.141.210.37192.168.2.3
                                                      May 14, 2022 18:53:55.181685925 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.329044104 CEST10715497603.141.210.37192.168.2.3
                                                      May 14, 2022 18:53:55.329144955 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.476773977 CEST10715497603.141.210.37192.168.2.3
                                                      May 14, 2022 18:53:55.476893902 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.478843927 CEST10715497603.141.210.37192.168.2.3
                                                      May 14, 2022 18:53:55.478924990 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:53:55.479059935 CEST4976010715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:00.582742929 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:00.730499029 CEST10715497653.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:00.730712891 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:00.755091906 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:00.902534008 CEST10715497653.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:00.902735949 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:01.050062895 CEST10715497653.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:01.178420067 CEST10715497653.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:01.353086948 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:01.642544985 CEST4976510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:05.931350946 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.078870058 CEST10715497703.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:06.079674959 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.080233097 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.227596998 CEST10715497703.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:06.230441093 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.377821922 CEST10715497703.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:06.377979040 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.525372982 CEST10715497703.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:06.525535107 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.535331964 CEST10715497703.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:06.535423994 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:06.535541058 CEST4977010715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:10.898956060 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.046062946 CEST10715497763.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:11.046241045 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.046664953 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.193499088 CEST10715497763.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:11.193628073 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.340677977 CEST10715497763.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:11.340776920 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.487726927 CEST10715497763.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:11.487905025 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.493426085 CEST10715497763.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:11.493510008 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:11.495717049 CEST4977610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:15.711116076 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:15.858635902 CEST10715497813.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:15.858788013 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:15.860094070 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:16.007469893 CEST10715497813.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:16.007589102 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:16.155062914 CEST10715497813.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:16.155308008 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:16.302632093 CEST10715497813.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:16.302737951 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:16.319565058 CEST10715497813.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:16.319669962 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:16.319828033 CEST4978110715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:20.622067928 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:20.769227028 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:20.769335032 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:20.769932032 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:20.917064905 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:20.917179108 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:21.064358950 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:21.064513922 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:21.211622000 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:21.211724997 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:21.223522902 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:21.223615885 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:21.223772049 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:21.370836973 CEST10715497833.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:21.370956898 CEST4978310715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:25.467544079 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:25.616609097 CEST10715497853.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:25.616785049 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:25.617279053 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:25.764616966 CEST10715497853.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:25.765403986 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:25.912751913 CEST10715497853.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:25.912976980 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:26.060369015 CEST10715497853.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:26.065615892 CEST10715497853.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:26.097451925 CEST4978510715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:30.697204113 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:30.844441891 CEST107154979118.189.106.45192.168.2.3
                                                      May 14, 2022 18:54:30.844556093 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:30.845079899 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:30.992130995 CEST107154979118.189.106.45192.168.2.3
                                                      May 14, 2022 18:54:30.992218018 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:31.139259100 CEST107154979118.189.106.45192.168.2.3
                                                      May 14, 2022 18:54:31.139334917 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:31.286462069 CEST107154979118.189.106.45192.168.2.3
                                                      May 14, 2022 18:54:31.286609888 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:31.291202068 CEST107154979118.189.106.45192.168.2.3
                                                      May 14, 2022 18:54:31.291393042 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:31.291455030 CEST4979110715192.168.2.318.189.106.45
                                                      May 14, 2022 18:54:36.061460972 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:36.209315062 CEST10715497943.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:36.209502935 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:36.540421963 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:36.688072920 CEST10715497943.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:36.688200951 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:36.712532997 CEST10715497943.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:36.712613106 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:36.712791920 CEST4979410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:41.082503080 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.229604006 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.229779959 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.230236053 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.377199888 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.377445936 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.524523973 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.524694920 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.671823025 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.671910048 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.730402946 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.730487108 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.730675936 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.818886995 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.818958998 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:41.877537012 CEST10715498063.141.210.37192.168.2.3
                                                      May 14, 2022 18:54:41.877680063 CEST4980610715192.168.2.33.141.210.37
                                                      May 14, 2022 18:54:45.974740028 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.121725082 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.121865988 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.122376919 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.269231081 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.269344091 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.416407108 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.418128967 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.565009117 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.565114975 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.608200073 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.608304977 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.608442068 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.713560104 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.713654041 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:46.755424023 CEST10715498363.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:46.755498886 CEST4983610715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:50.898606062 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.047024965 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.047182083 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.048069954 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.195002079 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.198203087 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.345225096 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.345316887 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.492129087 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.492222071 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.639094114 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.648514032 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.656124115 CEST10715498483.141.142.211192.168.2.3
                                                      May 14, 2022 18:54:51.656233072 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:51.668348074 CEST4984810715192.168.2.33.141.142.211
                                                      May 14, 2022 18:54:56.103430986 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.251785994 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.251897097 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.252366066 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.400321960 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.403075933 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.551284075 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.551388979 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.699465990 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.699601889 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.755795002 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.755976915 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.756295919 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:54:56.847762108 CEST10715498533.132.159.158192.168.2.3
                                                      May 14, 2022 18:54:56.848031044 CEST4985310715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:01.244637012 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.392872095 CEST107154985418.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:01.396615028 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.397156954 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.545783043 CEST107154985418.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:01.545939922 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.693589926 CEST107154985418.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:01.693676949 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.841094017 CEST107154985418.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:01.842669964 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.844084024 CEST107154985418.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:01.844280005 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:01.844364882 CEST4985410715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:06.098848104 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.245791912 CEST10715498583.141.177.1192.168.2.3
                                                      May 14, 2022 18:55:06.245884895 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.246494055 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.393498898 CEST10715498583.141.177.1192.168.2.3
                                                      May 14, 2022 18:55:06.393634081 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.540652037 CEST10715498583.141.177.1192.168.2.3
                                                      May 14, 2022 18:55:06.546610117 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.694014072 CEST10715498583.141.177.1192.168.2.3
                                                      May 14, 2022 18:55:06.694094896 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.702502012 CEST10715498583.141.177.1192.168.2.3
                                                      May 14, 2022 18:55:06.702673912 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:06.703289986 CEST4985810715192.168.2.33.141.177.1
                                                      May 14, 2022 18:55:11.545707941 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:11.693553925 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:11.693734884 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:11.701384068 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:11.849076986 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:11.849241972 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:11.998168945 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:11.998286963 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:12.139589071 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:12.139698982 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:12.146002054 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:12.153951883 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:12.287432909 CEST10715498743.132.159.158192.168.2.3
                                                      May 14, 2022 18:55:12.287574053 CEST4987410715192.168.2.33.132.159.158
                                                      May 14, 2022 18:55:16.531578064 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:16.678880930 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:16.679081917 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:16.679672003 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:16.826948881 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:16.827029943 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:16.974143982 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:16.974239111 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:17.121455908 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:17.122335911 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:17.189387083 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:17.189476967 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:17.189632893 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:17.269768953 CEST107154988018.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:17.269932985 CEST4988010715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.292902946 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.440340996 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:21.440438032 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.440941095 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.587969065 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:21.588053942 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.735147953 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:21.735349894 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.882435083 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:21.882673979 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.925446987 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:21.925698996 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:21.926047087 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:22.029849052 CEST107154988218.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:22.029949903 CEST4988210715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:26.013304949 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.160527945 CEST10715498833.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:26.160655975 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.161125898 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.308079004 CEST10715498833.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:26.308171034 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.455347061 CEST10715498833.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:26.455454111 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.602622032 CEST10715498833.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:26.602737904 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.629316092 CEST10715498833.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:26.629520893 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:26.629789114 CEST4988310715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:30.713726997 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:30.860913038 CEST10715498843.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:30.861057043 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:30.861567974 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:31.010256052 CEST10715498843.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:31.010420084 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:31.157593012 CEST10715498843.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:31.157706976 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:31.304733038 CEST10715498843.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:31.304802895 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:31.308790922 CEST10715498843.141.210.37192.168.2.3
                                                      May 14, 2022 18:55:31.308907032 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:31.309072971 CEST4988410715192.168.2.33.141.210.37
                                                      May 14, 2022 18:55:35.333070993 CEST4988610715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:35.480417013 CEST107154988618.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:35.480741978 CEST4988610715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:35.481237888 CEST4988610715192.168.2.318.189.106.45
                                                      May 14, 2022 18:55:35.628556967 CEST107154988618.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:35.924148083 CEST107154988618.189.106.45192.168.2.3
                                                      May 14, 2022 18:55:35.924930096 CEST4988610715192.168.2.318.189.106.45

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 14, 2022 18:53:30.123356104 CEST5742153192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:30.139904022 CEST53574218.8.8.8192.168.2.3
                                                      May 14, 2022 18:53:35.043431997 CEST6535853192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:35.062048912 CEST53653588.8.8.8192.168.2.3
                                                      May 14, 2022 18:53:39.983046055 CEST4987353192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:40.001665115 CEST53498738.8.8.8192.168.2.3
                                                      May 14, 2022 18:53:45.130386114 CEST5380253192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:45.148720980 CEST53538028.8.8.8192.168.2.3
                                                      May 14, 2022 18:53:50.055612087 CEST6526653192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:50.074321032 CEST53652668.8.8.8192.168.2.3
                                                      May 14, 2022 18:53:54.865468025 CEST6333253192.168.2.38.8.8.8
                                                      May 14, 2022 18:53:54.884104013 CEST53633328.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:00.538901091 CEST5139153192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:00.557221889 CEST53513918.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:05.910094976 CEST5298553192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:05.930022001 CEST53529858.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:10.878411055 CEST5077853192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:10.896574020 CEST53507788.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:15.692712069 CEST5939053192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:15.709459066 CEST53593908.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:20.602340937 CEST6499653192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:20.620956898 CEST53649968.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:25.447983980 CEST5209653192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:25.466384888 CEST53520968.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:30.676806927 CEST4984453192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:30.695350885 CEST53498448.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:36.010186911 CEST4972353192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:36.031011105 CEST53497238.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:41.064217091 CEST6187753192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:41.080579042 CEST53618778.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:45.954760075 CEST6155553192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:45.973352909 CEST53615558.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:50.838273048 CEST5155753192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:50.856714964 CEST53515578.8.8.8192.168.2.3
                                                      May 14, 2022 18:54:56.082479000 CEST5248753192.168.2.38.8.8.8
                                                      May 14, 2022 18:54:56.100958109 CEST53524878.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:01.203088045 CEST5199453192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:01.223702908 CEST53519948.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:06.072969913 CEST5895053192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:06.091731071 CEST53589508.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:11.520415068 CEST5388353192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:11.539225101 CEST53538838.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:16.511949062 CEST5906553192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:16.530073881 CEST53590658.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:21.275295019 CEST6458953192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:21.291465998 CEST53645898.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:25.990437984 CEST6493453192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:26.008608103 CEST53649348.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:30.696547031 CEST5579553192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:30.712841988 CEST53557958.8.8.8192.168.2.3
                                                      May 14, 2022 18:55:35.315671921 CEST5526953192.168.2.38.8.8.8
                                                      May 14, 2022 18:55:35.332572937 CEST53552698.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      May 14, 2022 18:53:30.123356104 CEST192.168.2.38.8.8.80xbdbbStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:35.043431997 CEST192.168.2.38.8.8.80x8498Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:39.983046055 CEST192.168.2.38.8.8.80xbd83Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:45.130386114 CEST192.168.2.38.8.8.80x78a9Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:50.055612087 CEST192.168.2.38.8.8.80x8955Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:54.865468025 CEST192.168.2.38.8.8.80xb083Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:00.538901091 CEST192.168.2.38.8.8.80xbc15Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:05.910094976 CEST192.168.2.38.8.8.80x5516Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:10.878411055 CEST192.168.2.38.8.8.80xf614Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:15.692712069 CEST192.168.2.38.8.8.80x4c7fStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:20.602340937 CEST192.168.2.38.8.8.80xd61fStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:25.447983980 CEST192.168.2.38.8.8.80x6a3eStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:30.676806927 CEST192.168.2.38.8.8.80xec3bStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:36.010186911 CEST192.168.2.38.8.8.80xe2acStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:41.064217091 CEST192.168.2.38.8.8.80x4a9cStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:45.954760075 CEST192.168.2.38.8.8.80xab74Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:50.838273048 CEST192.168.2.38.8.8.80xf6e8Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:56.082479000 CEST192.168.2.38.8.8.80x64f0Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:01.203088045 CEST192.168.2.38.8.8.80xebf4Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:06.072969913 CEST192.168.2.38.8.8.80x67d5Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:11.520415068 CEST192.168.2.38.8.8.80x9d90Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:16.511949062 CEST192.168.2.38.8.8.80x4a6Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:21.275295019 CEST192.168.2.38.8.8.80xcd3eStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:25.990437984 CEST192.168.2.38.8.8.80xaee9Standard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:30.696547031 CEST192.168.2.38.8.8.80x371aStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:35.315671921 CEST192.168.2.38.8.8.80x6b7dStandard query (0)6.tcp.ngrok.ioA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      May 14, 2022 18:53:30.139904022 CEST8.8.8.8192.168.2.30xbdbbNo error (0)6.tcp.ngrok.io3.140.223.7A (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:35.062048912 CEST8.8.8.8192.168.2.30x8498No error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:40.001665115 CEST8.8.8.8192.168.2.30xbd83No error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:45.148720980 CEST8.8.8.8192.168.2.30x78a9No error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:50.074321032 CEST8.8.8.8192.168.2.30x8955No error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:53:54.884104013 CEST8.8.8.8192.168.2.30xb083No error (0)6.tcp.ngrok.io3.141.210.37A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:00.557221889 CEST8.8.8.8192.168.2.30xbc15No error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:05.930022001 CEST8.8.8.8192.168.2.30x5516No error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:10.896574020 CEST8.8.8.8192.168.2.30xf614No error (0)6.tcp.ngrok.io3.141.210.37A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:15.709459066 CEST8.8.8.8192.168.2.30x4c7fNo error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:20.620956898 CEST8.8.8.8192.168.2.30xd61fNo error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:25.466384888 CEST8.8.8.8192.168.2.30x6a3eNo error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:30.695350885 CEST8.8.8.8192.168.2.30xec3bNo error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:36.031011105 CEST8.8.8.8192.168.2.30xe2acNo error (0)6.tcp.ngrok.io3.132.159.158A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:41.080579042 CEST8.8.8.8192.168.2.30x4a9cNo error (0)6.tcp.ngrok.io3.141.210.37A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:45.973352909 CEST8.8.8.8192.168.2.30xab74No error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:50.856714964 CEST8.8.8.8192.168.2.30xf6e8No error (0)6.tcp.ngrok.io3.141.142.211A (IP address)IN (0x0001)
                                                      May 14, 2022 18:54:56.100958109 CEST8.8.8.8192.168.2.30x64f0No error (0)6.tcp.ngrok.io3.132.159.158A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:01.223702908 CEST8.8.8.8192.168.2.30xebf4No error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:06.091731071 CEST8.8.8.8192.168.2.30x67d5No error (0)6.tcp.ngrok.io3.141.177.1A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:11.539225101 CEST8.8.8.8192.168.2.30x9d90No error (0)6.tcp.ngrok.io3.132.159.158A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:16.530073881 CEST8.8.8.8192.168.2.30x4a6No error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:21.291465998 CEST8.8.8.8192.168.2.30xcd3eNo error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:26.008608103 CEST8.8.8.8192.168.2.30xaee9No error (0)6.tcp.ngrok.io3.141.210.37A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:30.712841988 CEST8.8.8.8192.168.2.30x371aNo error (0)6.tcp.ngrok.io3.141.210.37A (IP address)IN (0x0001)
                                                      May 14, 2022 18:55:35.332572937 CEST8.8.8.8192.168.2.30x6b7dNo error (0)6.tcp.ngrok.io18.189.106.45A (IP address)IN (0x0001)

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:18:53:25
                                                      Start date:14/05/2022
                                                      Path:C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.exe"
                                                      Imagebase:0x300000
                                                      File size:207360 bytes
                                                      MD5 hash:7564920DF8FDAC8A30144D4297173194
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.242929781.0000000000302000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      General

                                                      Target ID:4
                                                      Start time:18:53:37
                                                      Start date:14/05/2022
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                      Imagebase:0xa30000
                                                      File size:207360 bytes
                                                      MD5 hash:7564920DF8FDAC8A30144D4297173194
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.267570909.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.286197022.0000000004031000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.286128721.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                      • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 83%, Metadefender, Browse
                                                      • Detection: 98%, ReversingLabs
                                                      Reputation:low

                                                      Disassembly

                                                      Reset < >

                                                        Non-executed Functions

                                                        Function 00A45B00 Relevance: 5.4, Strings: 4, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000003.293042675.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, Offset: 00A38000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_3_a38000_1DA2BAEDB633FD4884FCE89A2D9D8630C2E7AF359FE75.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 2.0.$C$m$neut
                                                        • API String ID: 0-3015459196
                                                        • Opcode ID: f2aa62c28c5d51f8aec86b9ff30716fa512d4bd4d38866dc3262817ae06933da
                                                        • Instruction ID: 3da1f9e57c88c728e16e6334f3d13eb8afa7917f0de3b60dde0325f5d1fc7ae5
                                                        • Opcode Fuzzy Hash: f2aa62c28c5d51f8aec86b9ff30716fa512d4bd4d38866dc3262817ae06933da
                                                        • Instruction Fuzzy Hash: 9541692980E3C14FCB2B8B7589A66517FB4AF13214B1A15DBC4C1DF0B3C2285D2DCB66
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:21.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:57
                                                        Total number of Limit Nodes:6
                                                        execution_graph 4892 2afa8ee 4893 2afa94b 4892->4893 4894 2afa920 SetWindowLongW 4892->4894 4893->4894 4895 2afa935 4894->4895 4896 2afab2d 4897 2afab30 RegQueryValueExW 4896->4897 4899 2afabc3 4897->4899 4959 53400f6 4961 534012a CreateMutexW 4959->4961 4962 53401a5 4961->4962 4935 2afa8cc 4936 2afa8ee SetWindowLongW 4935->4936 4938 2afa935 4936->4938 4916 2afa78a 4917 2afa7ec 4916->4917 4918 2afa7b6 OleInitialize 4916->4918 4917->4918 4919 2afa7c4 4918->4919 4947 2afb7ca 4948 2afb806 PostMessageW 4947->4948 4950 2afb850 4948->4950 4920 2afb806 4921 2afb83b PostMessageW 4920->4921 4922 2afb866 4920->4922 4923 2afb850 4921->4923 4922->4921 4924 2afa546 4925 2afa584 DuplicateHandle 4924->4925 4926 2afa5bc 4924->4926 4927 2afa592 4925->4927 4926->4925 4928 2afb746 4929 2afb7bc 4928->4929 4930 2afb784 CreateIconFromResourceEx 4928->4930 4929->4930 4931 2afb792 4930->4931 4939 2afbe05 4940 2afbe3e DispatchMessageW 4939->4940 4942 2afbe7f 4940->4942 4943 2afaa02 4944 2afaa32 RegOpenKeyExW 4943->4944 4946 2afaac0 4944->4946 4951 2afa51f 4952 2afa546 DuplicateHandle 4951->4952 4954 2afa592 4952->4954 4900 2afbe3e 4901 2afbe6a DispatchMessageW 4900->4901 4902 2afbe93 4900->4902 4903 2afbe7f 4901->4903 4902->4901 4955 2afb71e 4956 2afb746 CreateIconFromResourceEx 4955->4956 4958 2afb792 4956->4958 4967 2afa75b 4968 2afa78a OleInitialize 4967->4968 4970 2afa7c4 4968->4970 4912 534012a 4913 5340162 CreateMutexW 4912->4913 4915 53401a5 4913->4915 4971 2afaf50 4972 2afaf72 CreateActCtxA 4971->4972 4974 2afaff8 4972->4974

                                                        Executed Functions

                                                        Function 05223850 Relevance: .8, Instructions: 760COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 984840dc19b619411454f4e7425f233f93ee541942d7aca4dfb388b615ecd57f
                                                        • Instruction ID: 1c16dd03109f263013d89cca6f2f8517ef36d03303e88bd97eb49f7360282fa7
                                                        • Opcode Fuzzy Hash: 984840dc19b619411454f4e7425f233f93ee541942d7aca4dfb388b615ecd57f
                                                        • Instruction Fuzzy Hash: 33520375A14226EFCB15CF58C4849AEFBB6FF95300B19C9A6D809AF212C775EC41CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052223A0 Relevance: .5, Instructions: 505COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29c83437e9ba657b20f17c722366e4dfa09414c3e84854d0445bd6f526faf1b1
                                                        • Instruction ID: e25c9cdab13c7566f1e75ae14d115bb7eb610eed79285519a2f3cc2c978368cd
                                                        • Opcode Fuzzy Hash: 29c83437e9ba657b20f17c722366e4dfa09414c3e84854d0445bd6f526faf1b1
                                                        • Instruction Fuzzy Hash: F512BC38E24226EFC725CF68C48466EBBF3FF88305F248569D446EB255DB7A8845CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05222FA8 Relevance: .2, Instructions: 239COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53dbb0879b8a318a92799b62355a6a73f9549710720087778597bed245694375
                                                        • Instruction ID: 365a22f6c57ad09752382ab7eea8d47b7ba9538b6cbc2c994458d29967a83642
                                                        • Opcode Fuzzy Hash: 53dbb0879b8a318a92799b62355a6a73f9549710720087778597bed245694375
                                                        • Instruction Fuzzy Hash: AA81A035F11126ABCB14DBA9C884A6EB7F3AFD8710F298474E409EB355DE35DD018B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFAB2D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 2afab2d-2afab2e 1 2afab85 0->1 2 2afab30-2afab77 0->2 3 2afab8a-2afab90 1->3 4 2afab87 1->4 8 2afab7c-2afab83 2->8 9 2afab79 2->9 5 2afab95-2afabac 3->5 6 2afab92 3->6 4->3 11 2afabae-2afabc1 RegQueryValueExW 5->11 12 2afabe3-2afabe8 5->12 6->5 8->1 9->8 13 2afabea-2afabef 11->13 14 2afabc3-2afabe0 11->14 12->11 13->14
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE ref: 02AFABB4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID: _
                                                        • API String ID: 3660427363-701932520
                                                        • Opcode ID: c7f4232d4de3e545671e05b47afd46495ad7b4149021bca2439b23dbf0363467
                                                        • Instruction ID: 77651b58d7a38ba4d60b6b85356aaacda60ef9f93609e8483817165e1c8c96a8
                                                        • Opcode Fuzzy Hash: c7f4232d4de3e545671e05b47afd46495ad7b4149021bca2439b23dbf0363467
                                                        • Instruction Fuzzy Hash: A1215C76504204AFE761CF95CC84FA6FBEDEF48720F04855AFA499B252D764E808CBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFAA02 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 18 2afaa02-2afaa8d 22 2afaa8f 18->22 23 2afaa92-2afaaa9 18->23 22->23 25 2afaaeb-2afaaf0 23->25 26 2afaaab-2afaabe RegOpenKeyExW 23->26 25->26 27 2afaaf2-2afaaf7 26->27 28 2afaac0-2afaae8 26->28 27->28
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02AFAAB1
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: ecceb456c4796c1957332776c4d83b70102df605e4d48dd44d0648235ae014ba
                                                        • Instruction ID: e96700b6742dda2184e6c9755c9512b31498739a8015c0d5e1896303db6bd28e
                                                        • Opcode Fuzzy Hash: ecceb456c4796c1957332776c4d83b70102df605e4d48dd44d0648235ae014ba
                                                        • Instruction Fuzzy Hash: 5F31D672504384AFE7228F65CC85FA7BFACEF45320F08849BFD859B152D264A509CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 053400F6 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 33 53400f6-5340179 37 534017e-5340187 33->37 38 534017b 33->38 39 534018c-5340195 37->39 40 5340189 37->40 38->37 41 53401e6-53401eb 39->41 42 5340197-53401bb CreateMutexW 39->42 40->39 41->42 45 53401ed-53401f2 42->45 46 53401bd-53401e3 42->46 45->46
                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 0534019D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286395338.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5340000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: b44816cd000e3fb3dee74ecf8804fe040d0565658cac353d27a0c2a87e6edfda
                                                        • Instruction ID: 6384be768394aa1a693c79cc34ab1df606995333ccc251ee6b720643363e83c7
                                                        • Opcode Fuzzy Hash: b44816cd000e3fb3dee74ecf8804fe040d0565658cac353d27a0c2a87e6edfda
                                                        • Instruction Fuzzy Hash: 43319175509780AFE712CB65DC85F96FFF8EF06210F09849AE985CF292D374A908CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFAF50 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 49 2afaf50-2afaf70 50 2afaf73 49->50 51 2afaf72 49->51 52 2afaf74-2afaf97 50->52 51->50 51->52 53 2afaf9a-2afaff2 CreateActCtxA 52->53 55 2afaff8-2afb00e 53->55
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 02AFAFEA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: a193e984a0b769c1ec26fcbf82e3a3c666204775de51957b74052b1ba3b2a16c
                                                        • Instruction ID: f46b132c4fe5845a0c8f1a81b2d6a38df89eef17a20c9040e16b80491239dc5d
                                                        • Opcode Fuzzy Hash: a193e984a0b769c1ec26fcbf82e3a3c666204775de51957b74052b1ba3b2a16c
                                                        • Instruction Fuzzy Hash: A421A17240D3C06FD7138B658C51B61BFB4EF87620F0A41DBE984CB5A3D229A919C7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFAA32 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 56 2afaa32-2afaa8d 59 2afaa8f 56->59 60 2afaa92-2afaaa9 56->60 59->60 62 2afaaeb-2afaaf0 60->62 63 2afaaab-2afaabe RegOpenKeyExW 60->63 62->63 64 2afaaf2-2afaaf7 63->64 65 2afaac0-2afaae8 63->65 64->65
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02AFAAB1
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: 9f13bb7510dcc2985bd8ae4dba538c5d01755cdaa027a0b75a58971f2259e07a
                                                        • Instruction ID: f8f572bccd086ebb9efdd2d2b194a998d03df5d051b997d15bf3028cb5d0983d
                                                        • Opcode Fuzzy Hash: 9f13bb7510dcc2985bd8ae4dba538c5d01755cdaa027a0b75a58971f2259e07a
                                                        • Instruction Fuzzy Hash: 5F218E72500304AEEB219F55CD84FAAFBECEF48720F14C55AEE459B242E664E5488AB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0534012A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 70 534012a-5340179 73 534017e-5340187 70->73 74 534017b 70->74 75 534018c-5340195 73->75 76 5340189 73->76 74->73 77 53401e6-53401eb 75->77 78 5340197-534019f CreateMutexW 75->78 76->75 77->78 80 53401a5-53401bb 78->80 81 53401ed-53401f2 80->81 82 53401bd-53401e3 80->82 81->82
                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 0534019D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286395338.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5340000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: f4e73431ee97126c1bd039e2db5cf4acd8d6631af9652de0e3b5b255e9de7d44
                                                        • Instruction ID: 7c7237bb61823b471f70859d54510c6decb323ccada80b9292bed6cecd8d016f
                                                        • Opcode Fuzzy Hash: f4e73431ee97126c1bd039e2db5cf4acd8d6631af9652de0e3b5b255e9de7d44
                                                        • Instruction Fuzzy Hash: B221BE75604240AFE724DF69DC89B6AFBE8EF04320F04846AEE458F281E374E504CE65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFB7CA Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 94 2afb7ca-2afb839 96 2afb83b-2afb84e PostMessageW 94->96 97 2afb866-2afb86b 94->97 98 2afb86d-2afb872 96->98 99 2afb850-2afb863 96->99 97->96 98->99
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 02AFB841
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: b22dca58770a8c09a909b1554b7ad913d46a52f8dc1047c8dc60f5c991c079f3
                                                        • Instruction ID: 3e59147e7bec74d46fa589c572a41f369bab77041d71cfddb2c071d6c79589a0
                                                        • Opcode Fuzzy Hash: b22dca58770a8c09a909b1554b7ad913d46a52f8dc1047c8dc60f5c991c079f3
                                                        • Instruction Fuzzy Hash: ED21C0724093C09FDB138B61DC50A92BFB0EF0B224F0D84DAEDC44F163D265A958DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA51F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 85 2afa51f-2afa582 87 2afa5bc-2afa5c1 85->87 88 2afa584-2afa58c DuplicateHandle 85->88 87->88 89 2afa592-2afa5a4 88->89 91 2afa5a6-2afa5b9 89->91 92 2afa5c3-2afa5c8 89->92 92->91
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFA58A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 8f6482a49ee1624003ff3985df6dcaab51b84100b24978142b55255e7c7b948c
                                                        • Instruction ID: a8b55dee88353efe2a8dbe7ac7e0f12b1ba8fa8309f81d43907896e2baf95bcf
                                                        • Opcode Fuzzy Hash: 8f6482a49ee1624003ff3985df6dcaab51b84100b24978142b55255e7c7b948c
                                                        • Instruction Fuzzy Hash: C9117272409380AFDB228F55DC44B62FFF4EF4A220F08849AED898B153D375A418DB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFBB4F Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 102 2afbb4f-2afbbb1 104 2afbbe7-2afbbec 102->104 105 2afbbb3-2afbbc6 PostMessageW 102->105 104->105 106 2afbbee-2afbbf3 105->106 107 2afbbc8-2afbbe4 105->107 106->107
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 02AFBBB9
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 6f1dd787b0f0309a5132ecdb7dab842690a456f1bec21ebaccf4093c646e018e
                                                        • Instruction ID: 9bb4a0e15685ad26d284d59e843d33d4ea176e2a15c915620daff7f5f291261d
                                                        • Opcode Fuzzy Hash: 6f1dd787b0f0309a5132ecdb7dab842690a456f1bec21ebaccf4093c646e018e
                                                        • Instruction Fuzzy Hash: 5E11D0364093C0AFDB228F25CC85B52FFB4EF06220F0884DEED858B563D365A458DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFBE05 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 110 2afbe05-2afbe68 112 2afbe6a-2afbe7d DispatchMessageW 110->112 113 2afbe93-2afbe98 110->113 114 2afbe7f-2afbe92 112->114 115 2afbe9a-2afbe9f 112->115 113->112 115->114
                                                        APIs
                                                        • DispatchMessageW.USER32(?), ref: 02AFBE70
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 216f5591799e87b29cb663e87145bfb7e31046670a636e9af6a96f10ec01059c
                                                        • Instruction ID: 43d77d26d3ad7fc8eecb7a77a0ad5f4743dc9cf98dc0270f2183d06e8b46f949
                                                        • Opcode Fuzzy Hash: 216f5591799e87b29cb663e87145bfb7e31046670a636e9af6a96f10ec01059c
                                                        • Instruction Fuzzy Hash: 84114C754093C4AFDB138B25DC84B61BFB4DF47624F0984DAED858F263D269A848CB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFB71E Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 118 2afb71e-2afb782 120 2afb7bc-2afb7c1 118->120 121 2afb784-2afb78c CreateIconFromResourceEx 118->121 120->121 122 2afb792-2afb7a4 121->122 124 2afb7a6-2afb7b9 122->124 125 2afb7c3-2afb7c8 122->125 125->124
                                                        APIs
                                                        • CreateIconFromResourceEx.USER32 ref: 02AFB78A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: CreateFromIconResource
                                                        • String ID:
                                                        • API String ID: 3668623891-0
                                                        • Opcode ID: b10bbb7f85768b7d0c32a0ffc987e5cb5d91b22e021bba175655b1f1cd73a5ff
                                                        • Instruction ID: 3d2aa822173b0270900c2ff9e1696ebddfd6d9f97a546f071323fd7fe1986759
                                                        • Opcode Fuzzy Hash: b10bbb7f85768b7d0c32a0ffc987e5cb5d91b22e021bba175655b1f1cd73a5ff
                                                        • Instruction Fuzzy Hash: B211A232409380AFDB228F55DC84B92FFF4EF49320F09889EED858B562C375A458CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA75B Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 127 2afa75b-2afa7b4 129 2afa7ec-2afa7f1 127->129 130 2afa7b6-2afa7be OleInitialize 127->130 129->130 132 2afa7c4-2afa7d6 130->132 133 2afa7d8-2afa7eb 132->133 134 2afa7f3-2afa7f8 132->134 134->133
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: f49a3094eed5479cbfa48d91e8f886fd24b46d5e797f2a504bc69a8d8c289290
                                                        • Instruction ID: 3f7eb73ad1facfb6c58da343e6d6eb0d9c9eea934216186607c0705d497d81d6
                                                        • Opcode Fuzzy Hash: f49a3094eed5479cbfa48d91e8f886fd24b46d5e797f2a504bc69a8d8c289290
                                                        • Instruction Fuzzy Hash: B3118F714493849FD712CF55DC85B92BFB4EF42220F0984EBED498F253D279A448CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 136 2afa8cc-2afa91e 138 2afa94b-2afa950 136->138 139 2afa920-2afa933 SetWindowLongW 136->139 138->139 140 2afa935-2afa948 139->140 141 2afa952-2afa957 139->141 141->140
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 02AFA926
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: 2efc18d161f086e1e17f98b6368a6df81f9c57adba1909c3f4223b6605bdcbdd
                                                        • Instruction ID: 446274527f346eb6542fe7669379c0e9a49a4fcd9f0cd1ee266acc6b5e60fbec
                                                        • Opcode Fuzzy Hash: 2efc18d161f086e1e17f98b6368a6df81f9c57adba1909c3f4223b6605bdcbdd
                                                        • Instruction Fuzzy Hash: 161170314097849FD7218F55DC85B52FFF4EF46220F09C49AED894B262D375A458CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 144 2afa546-2afa582 145 2afa5bc-2afa5c1 144->145 146 2afa584-2afa58c DuplicateHandle 144->146 145->146 147 2afa592-2afa5a4 146->147 149 2afa5a6-2afa5b9 147->149 150 2afa5c3-2afa5c8 147->150 150->149
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AFA58A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: f4233cea04b5d6e0130e26e1af4e5491e0632b1bab57424ff4b7f27baafe3391
                                                        • Instruction ID: 3d1c622895740c5ebbbcf816f4a9be2537b6c2a0b93998b59b242d145a61c3af
                                                        • Opcode Fuzzy Hash: f4233cea04b5d6e0130e26e1af4e5491e0632b1bab57424ff4b7f27baafe3391
                                                        • Instruction Fuzzy Hash: BC016D324006009FDB618F95D884B96FFE0EF48720F08C8AAEE498B616D779E018DF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFB746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 152 2afb746-2afb782 153 2afb7bc-2afb7c1 152->153 154 2afb784-2afb78c CreateIconFromResourceEx 152->154 153->154 155 2afb792-2afb7a4 154->155 157 2afb7a6-2afb7b9 155->157 158 2afb7c3-2afb7c8 155->158 158->157
                                                        APIs
                                                        • CreateIconFromResourceEx.USER32 ref: 02AFB78A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: CreateFromIconResource
                                                        • String ID:
                                                        • API String ID: 3668623891-0
                                                        • Opcode ID: e50f5c1e0cb861c9dc484324921cee6017755fcff9c20ddce55ae4870c025c9f
                                                        • Instruction ID: 79461403f07170f9d62811e7b1b01c0bc97e8bb139214a773149276bc74dc7e3
                                                        • Opcode Fuzzy Hash: e50f5c1e0cb861c9dc484324921cee6017755fcff9c20ddce55ae4870c025c9f
                                                        • Instruction Fuzzy Hash: 19015B32400600DFDB618F95D884B56FBF4EF48720F08C8AAEE894A626D775E058DFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFAF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 02AFAFEA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 79c4f8ad1622d4db45e411a616236d38d8cadf23392a3efff5cd74a059a90572
                                                        • Instruction ID: c646c7b555b2d65d28d55ee144035b0d4d1e74a92e3ab2b35b55edd339eebdf6
                                                        • Opcode Fuzzy Hash: 79c4f8ad1622d4db45e411a616236d38d8cadf23392a3efff5cd74a059a90572
                                                        • Instruction Fuzzy Hash: 80018672540604ABD710DF1ADC86B26FBE8FB88B20F14815AED085B781D375F515CBE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFBB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 02AFBBB9
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 11270d3813690db719f26a38d584431f330b80db3a1e207eff19b58bdbc31975
                                                        • Instruction ID: ba962833f713be0f2e5d02aba41e0c051c9cbdd36c4d8a30853aae1d483aac5b
                                                        • Opcode Fuzzy Hash: 11270d3813690db719f26a38d584431f330b80db3a1e207eff19b58bdbc31975
                                                        • Instruction Fuzzy Hash: F1019E355042009FEB608F96D884B65FBA0EF08224F08C49AEE468B666D675E458CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA78A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: b12e365dbb5a7f38c14568f9bb43f160cc661c2e12d02de5859b606d07006ffa
                                                        • Instruction ID: 0ea477374b8ea922143b904a841e4ad9507c856621cb01223fb8a572ab4263d2
                                                        • Opcode Fuzzy Hash: b12e365dbb5a7f38c14568f9bb43f160cc661c2e12d02de5859b606d07006ffa
                                                        • Instruction Fuzzy Hash: 11016275404240DFDB50CF95D885B95FBE4EF44320F18C4ABEE498F646D679A444CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFB806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 02AFB841
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 5748ba6adbd359cca278e3811037d47124dcc153b18e9f58048f0b22691f1088
                                                        • Instruction ID: 1b67cd38c2a20276d03206b88f42b81abae230a28fdd6b19b711603b17d7cd97
                                                        • Opcode Fuzzy Hash: 5748ba6adbd359cca278e3811037d47124dcc153b18e9f58048f0b22691f1088
                                                        • Instruction Fuzzy Hash: 29018F354002409FEB208F96DC84B65FBB0EF48324F08C49AEE494B262D775A458CFB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFA8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 02AFA926
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: edc6830d47ed0f9d354380822ca2bd2285f9e1088c5635ec9fde70e1bc546844
                                                        • Instruction ID: 665c5ec9f17ab9b9fd86211aacb8d6d59a1f32741b1f7dc1e3f68c46e06989f7
                                                        • Opcode Fuzzy Hash: edc6830d47ed0f9d354380822ca2bd2285f9e1088c5635ec9fde70e1bc546844
                                                        • Instruction Fuzzy Hash: 1401AD314006009FDB608F85D8C5791FFE4EF44320F08C4AAEE4A4B252D779A458CFA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AFBE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DispatchMessageW.USER32(?), ref: 02AFBE70
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286015614.0000000002AFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2afa000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 45d7523153cfcce71e87b1bed8769bbf29f0de660b5ed17e4d49feece7335910
                                                        • Instruction ID: a40365caf9f77eb20f3bcd55a8b6111a4df12bee91ac627e2078a55ce5428392
                                                        • Opcode Fuzzy Hash: 45d7523153cfcce71e87b1bed8769bbf29f0de660b5ed17e4d49feece7335910
                                                        • Instruction Fuzzy Hash: 23F0A4359042409FDB608F45D884761FBA0DF48324F18C49AEE494B256E779A448CEB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052220D0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: r*+
                                                        • API String ID: 0-3221063712
                                                        • Opcode ID: 566ad7b4886ca7767fde35f38fe900a0f81a8a0cfc8f37329a0c2124bf328a76
                                                        • Instruction ID: 722fd3a18f4fde1bb14578225854afd1bcb1f4ab8f7bc616d9dff98ca8833b9b
                                                        • Opcode Fuzzy Hash: 566ad7b4886ca7767fde35f38fe900a0f81a8a0cfc8f37329a0c2124bf328a76
                                                        • Instruction Fuzzy Hash: F9718438E2821AEFCB44DFA5C481ABEBBB2FF84300F10816AD546AB255D7769D41CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220BC0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: hX6r
                                                        • API String ID: 0-2322529949
                                                        • Opcode ID: 85cca8a376bcd7b98bb89a0ef069cd985d33bcd24cfa79a59ec40219707d6f33
                                                        • Instruction ID: 16769ba91c3cdbfebd877c20562c018527cb88f9db1fd63aab647125552b3f32
                                                        • Opcode Fuzzy Hash: 85cca8a376bcd7b98bb89a0ef069cd985d33bcd24cfa79a59ec40219707d6f33
                                                        • Instruction Fuzzy Hash: 7241E936B15118DFC705DF68C418AAEB7E7AFC6310F158066E90AEF361CEB29D068791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05222D58 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 8d32a7ff10b66725a8cf1699e67db0df579409dfc15a9d9056c37e5313902838
                                                        • Instruction ID: 2072b18a9f4a27432e499f3547f79abd38503adda2b0808a39e96f69b74e364b
                                                        • Opcode Fuzzy Hash: 8d32a7ff10b66725a8cf1699e67db0df579409dfc15a9d9056c37e5313902838
                                                        • Instruction Fuzzy Hash: 5B41C33CF24126EBCB24DF59C8805FEB7A3BFC5214B29C526C5169B605C676F802DB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052205BA Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8q
                                                        • API String ID: 0-3914627077
                                                        • Opcode ID: d34f5761056bda2626d53198745dd84fc9da000fe28d278b385b5c944ecf2754
                                                        • Instruction ID: aa015d8f54db31dc9e129505fc608f1e42cb0af8c2eb8fa2bfc9c687e5831337
                                                        • Opcode Fuzzy Hash: d34f5761056bda2626d53198745dd84fc9da000fe28d278b385b5c944ecf2754
                                                        • Instruction Fuzzy Hash: B801F9317001245FC70666BD54515BF2B9BDFD9650718806FF046DB3C5CEA89C4383D2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052205C8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8q
                                                        • API String ID: 0-3914627077
                                                        • Opcode ID: 058112c3580aaf4f3b9f2fa28901fc6a4ac1564af9fc7c29d47bb0f10972d6a5
                                                        • Instruction ID: 6dc064db4b25da46f31453e5727388e5a9eb084f44a33445f5cebda899e06533
                                                        • Opcode Fuzzy Hash: 058112c3580aaf4f3b9f2fa28901fc6a4ac1564af9fc7c29d47bb0f10972d6a5
                                                        • Instruction Fuzzy Hash: 1EF0B4317101244FC64976BE5411A7F268FDFD9A91B68802EF106DB384CEF8AC4343E6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052212A0 Relevance: .5, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27d0de32ab72832d8c8dd360fcac0ae0ff0ae075b20e2c247150104d5fb1a2d1
                                                        • Instruction ID: 2ffcb7be9afea281d643935809d583b75e7326e4ec1b07654cad370b26d8f388
                                                        • Opcode Fuzzy Hash: 27d0de32ab72832d8c8dd360fcac0ae0ff0ae075b20e2c247150104d5fb1a2d1
                                                        • Instruction Fuzzy Hash: A622F338A14615CFC724DF64C490E6ABBF2FF88310B1485A9E85AAB755DB38ED85CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052209A5 Relevance: .2, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8605f7acc82fa51099e993b646025e3e441572a13efa838e89dc692d0a3feeed
                                                        • Instruction ID: 62891e5a4ff5beb39d8eace8af9acb91f2fbfa5468925657355edff398fca3c8
                                                        • Opcode Fuzzy Hash: 8605f7acc82fa51099e993b646025e3e441572a13efa838e89dc692d0a3feeed
                                                        • Instruction Fuzzy Hash: 5A51E635B60255EFCB25DBA4C898A6EBBF3FF84304F2085A5E546DB254CB74AC01CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052202E8 Relevance: .2, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0aa7030042eb39237bdac3f57ea1230035a7aec905790c90c4432785beaaeeb6
                                                        • Instruction ID: fc2ede50e08e4c1359fec911493043b2fd1a321731ef5b8779a637d85e38fcd4
                                                        • Opcode Fuzzy Hash: 0aa7030042eb39237bdac3f57ea1230035a7aec905790c90c4432785beaaeeb6
                                                        • Instruction Fuzzy Hash: 52519D34B15216DFDB19DF68C194A6E7BF3BF89300F1880A9D506EB391DA75AC01CB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220682 Relevance: .1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5639ebb4ca90bcf3ac8ca418c26b2beaf49b125d2857859e6635360ee56771be
                                                        • Instruction ID: 93b19971ddb97ef8d0601e04ef5385cfa0a27de97f9d848357ac07c2ad16c9d0
                                                        • Opcode Fuzzy Hash: 5639ebb4ca90bcf3ac8ca418c26b2beaf49b125d2857859e6635360ee56771be
                                                        • Instruction Fuzzy Hash: 6041E235A90205DFD3067F74E89C62DBB66BF953827148879F403CB2A8DF74AC11AB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05221458 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e4c044c6963d416ab077000f9f33d2270be94120f8b71adecc9054074a338b4
                                                        • Instruction ID: 86da6030dcb798ba6de812ff48e45a060a0452c4a34e0eed89d695529965f7df
                                                        • Opcode Fuzzy Hash: 7e4c044c6963d416ab077000f9f33d2270be94120f8b71adecc9054074a338b4
                                                        • Instruction Fuzzy Hash: FB51F234A14219CFDB14DFA4C894B9DBBB2BF49301F1040E9E40AAB365DB799D84CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052202DA Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05020399cae33c7f392dfa9ac6477be6620b209f2b605121d047ce66bf620f1a
                                                        • Instruction ID: afc76489ce08cc448e9a9bbdb28f40a3a5780d9299b515f8efc3c33442b45e09
                                                        • Opcode Fuzzy Hash: 05020399cae33c7f392dfa9ac6477be6620b209f2b605121d047ce66bf620f1a
                                                        • Instruction Fuzzy Hash: 73315C34B112269FDB19CB68C198BAE7BF2EF88310F148069D406AB7A0DB75AC41CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05221292 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df36d0c041c8b7a943c6416415b36a54329ead93db3fe84dc3f7e352ea899268
                                                        • Instruction ID: ce0ca6d17d0dd0b6e0351fb173b2ba4d92f7ea2d2c3fecac4fb6e8ea31f8ed0d
                                                        • Opcode Fuzzy Hash: df36d0c041c8b7a943c6416415b36a54329ead93db3fe84dc3f7e352ea899268
                                                        • Instruction Fuzzy Hash: 5241D334A24229DFCB64DFA4C884BADBBB2BF49340F1040A9E40EAB751DB749D94CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220006 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53cd3543c16050e924f03308bd844bffed2b5f5e5d4f61613bb0547a9423e078
                                                        • Instruction ID: 05ad3fc6c02bebc11497adee06c5e0862d95506e144ae4b1208d663586e93d05
                                                        • Opcode Fuzzy Hash: 53cd3543c16050e924f03308bd844bffed2b5f5e5d4f61613bb0547a9423e078
                                                        • Instruction Fuzzy Hash: 0C31707151D3C19FC7039FB4D4996593FB1AF82204B0948DBD481CB196EA788C55CB13
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05222C58 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef925f9bd43f935c22cdd31216e24b4cc984b4bca74336d269955ba2c71d76e7
                                                        • Instruction ID: e05ed4c1e8d723a1227a6bc425dd403cb6b51aad1b9f999f71b4e4c2212b516d
                                                        • Opcode Fuzzy Hash: ef925f9bd43f935c22cdd31216e24b4cc984b4bca74336d269955ba2c71d76e7
                                                        • Instruction Fuzzy Hash: 29213D3E628262EFC315CB28D484979BBEAFF463107068166E45ECB251C7769C00C752
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052221E8 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e60dbbf80a5f63a529a875978c2dbdfd6e10377def55abb2c110bfdd27107fd
                                                        • Instruction ID: 0b51a04f1e352d49a93df59a37d13257f5bbd132756937954bdca96b15d6681b
                                                        • Opcode Fuzzy Hash: 5e60dbbf80a5f63a529a875978c2dbdfd6e10377def55abb2c110bfdd27107fd
                                                        • Instruction Fuzzy Hash: 59315C38D2821AEFCB44DFA4C1856BE7BB2BF45300F5042AAD402AB255DA778E45CF52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052225DE Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acd8029fbc86353f24a691d569d3a1034799926fe7992ce8b312ad4cf6d0e2ef
                                                        • Instruction ID: f290680b8934e0ea6e0b10531014839d48791a24cc8a6da9d807d6d93cf55631
                                                        • Opcode Fuzzy Hash: acd8029fbc86353f24a691d569d3a1034799926fe7992ce8b312ad4cf6d0e2ef
                                                        • Instruction Fuzzy Hash: 3E319039E1025ACFDB61CF65D48475ABBF2BF88304F14C56DC048AB258DB799889CF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05224190 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 12035bc63f17bd55d342fa4eb7ceb5abf47fe25a2cf1bfe946d0115520e1897d
                                                        • Instruction ID: f9bab69c0c2eb1944a9adf588aafe75adb2c8fbd61a1230c10215c8dbe05159c
                                                        • Opcode Fuzzy Hash: 12035bc63f17bd55d342fa4eb7ceb5abf47fe25a2cf1bfe946d0115520e1897d
                                                        • Instruction Fuzzy Hash: A8110635B20226ABDF14FBF6D4441BF7AA7AFD4340B11463B950797244EEB48C008BE2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA087C Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d08a27cd9084d15c1de7495bcc9392e4ce9106426aebe00061fb7e5e9711396
                                                        • Instruction ID: 46b487504b132b871400fcfd26a9eff9189790ff856ad23f9b11c16e42fbd57a
                                                        • Opcode Fuzzy Hash: 6d08a27cd9084d15c1de7495bcc9392e4ce9106426aebe00061fb7e5e9711396
                                                        • Instruction Fuzzy Hash: 0811E434208244DFE315DB18C994B26BB91EB88718F24C9DDE9494B642C777D803CA91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA084C Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c4769e4e74329ba2a8d018b40f67fe08f5a25cd6067ff68495f6e4880c900a6
                                                        • Instruction ID: 7edbca2294d6e401f70293b2d61423f537c08d3227356dbf906901be59733f04
                                                        • Opcode Fuzzy Hash: 6c4769e4e74329ba2a8d018b40f67fe08f5a25cd6067ff68495f6e4880c900a6
                                                        • Instruction Fuzzy Hash: 8F218B3510D7C09FD3178B24C950B11BFB1EF4B714F298ADAD9884B6A3C3369816CB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052211DF Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46b3a2833370a15b72f47966b48ca8bcd1b2f77d0d95ec019f52ef84f7e31f1c
                                                        • Instruction ID: 936cb429ed7123afe76837427608296146f3042647e3e10919a29a3b666ab498
                                                        • Opcode Fuzzy Hash: 46b3a2833370a15b72f47966b48ca8bcd1b2f77d0d95ec019f52ef84f7e31f1c
                                                        • Instruction Fuzzy Hash: 9E118E343281A09FC705DB68D0649697FE6AF8A20171541EBE086CF2B6CEA58C09CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05221209 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1139ef82f2b10e82f69c4601bc60605518ea1566ce0b56436996f5dc907c1ce
                                                        • Instruction ID: 0d547b75be9bf557548ed0c0f859327c39fdcc76facb36394c808f933cd1845c
                                                        • Opcode Fuzzy Hash: d1139ef82f2b10e82f69c4601bc60605518ea1566ce0b56436996f5dc907c1ce
                                                        • Instruction Fuzzy Hash: 3B011E343281A09FC704DB68D058969BBE6AFDA60172541BBF046CB775CFB58C49CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA05CF Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6030aff6338bf1eb5a5892691c0d44c9666d7729b152452aa02135bc1b76036b
                                                        • Instruction ID: 0bd61e33f0b7d5bc5eb5dbad4e7d311721f6fb537891435d8bb32487a186b76b
                                                        • Opcode Fuzzy Hash: 6030aff6338bf1eb5a5892691c0d44c9666d7729b152452aa02135bc1b76036b
                                                        • Instruction Fuzzy Hash: 8C01D67650D7806FD7128F1ADC41862FFB8DF86630708C0DFEC898B612D225A809CB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05221218 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acfdc57b9fdf42e4a7c47ad1ef3e2e3310f353debb703cf0420cec63610fe922
                                                        • Instruction ID: f5e8f7b613494d39b6268cd240121aa8477aaf682de8dc14b36d7eff669830d5
                                                        • Opcode Fuzzy Hash: acfdc57b9fdf42e4a7c47ad1ef3e2e3310f353debb703cf0420cec63610fe922
                                                        • Instruction Fuzzy Hash: ED016D343241249BC608DB68D058D69BBEBFFC970172081BAF406CB764CFB69C098B81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA0821 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d4bcb4d9f9ac59ead86af8038ab8c233ff97a26dfb1c78e4a3403b9fc7a4506
                                                        • Instruction ID: bf058f0b43df2b03232887c39ec9f4a89b6960a6b4f1c7c7c32956d26a4ead33
                                                        • Opcode Fuzzy Hash: 6d4bcb4d9f9ac59ead86af8038ab8c233ff97a26dfb1c78e4a3403b9fc7a4506
                                                        • Instruction Fuzzy Hash: B111123510D3808FC303DB20D850B15BFB1EF8A318F198ADED5894B663C3369816DB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220918 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31fb8e8b48d172cf2fc9e60760b5ec0471d956650790323a7f109c84d87dcadd
                                                        • Instruction ID: 77b2e13ecf35098c3c48e3d125669acada140aa0d07689001967bb44c007d414
                                                        • Opcode Fuzzy Hash: 31fb8e8b48d172cf2fc9e60760b5ec0471d956650790323a7f109c84d87dcadd
                                                        • Instruction Fuzzy Hash: 80E0E53AE39228AA9B109AF598885AFBBAA9F85A50F0044379E07A7200DDB058014291
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05224180 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3f472911573ae1b0926c54009df9b418026ba07a5b5ecbf438c31d945a6c69d
                                                        • Instruction ID: a0b013e45f3ef4e406e3238cb2b210cc8473f1c3de8d1e29c139f4e155e64032
                                                        • Opcode Fuzzy Hash: d3f472911573ae1b0926c54009df9b418026ba07a5b5ecbf438c31d945a6c69d
                                                        • Instruction Fuzzy Hash: D6F05C35A742B4AFCF21B67568494FFBF659ED6280741057BD906C3004E6B90015C6E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220908 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43c8bbd98b8fb07071f8e19dd668365549ad50abdbb8aaae20682b57bfe62b15
                                                        • Instruction ID: 35cb742856babfe92d1879a6a60d18e3d80bf5027c590baefc7d2b10b5ecd1f7
                                                        • Opcode Fuzzy Hash: 43c8bbd98b8fb07071f8e19dd668365549ad50abdbb8aaae20682b57bfe62b15
                                                        • Instruction Fuzzy Hash: 72F02735D3A3B8AFD7118AF444991AFBF735F96640B0504678C83AB301CDA00C068791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA0938 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0749b4a15cf99f911eec1f570b896518e0d20117fb31bf56106bbcad3062e853
                                                        • Instruction ID: a980c3795eb8bc37965a1e326fff26aec9c8ef1d527820a61d62795791cfff7e
                                                        • Opcode Fuzzy Hash: 0749b4a15cf99f911eec1f570b896518e0d20117fb31bf56106bbcad3062e853
                                                        • Instruction Fuzzy Hash: 87F01D35108644DFC306DF04D940B25FBA2FB89718F24CAADE9490B752C337E813DA81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02BA05F6 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286083630.0000000002BA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2ba0000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d57bc0046e1be6491ae37095be08a75d81f3c4f7929363ab6783f76b6b43226
                                                        • Instruction ID: 77b5b1e7855c4658d79c3bb83365658808cadc620b12f832b3cd65000c5537e1
                                                        • Opcode Fuzzy Hash: 1d57bc0046e1be6491ae37095be08a75d81f3c4f7929363ab6783f76b6b43226
                                                        • Instruction Fuzzy Hash: 1EE06D766046004B9650CF0AEC81452F798EB84630718C06BDC0D8B700D235B5048EA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 052202A1 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d182d903384ef54af9e949262e63429243f6506efbbca7a92fa05d52bd1acf7
                                                        • Instruction ID: 90a6d8b547825a4bcb72a72ec52be0b479075b65692e3243c0d53c535429cf22
                                                        • Opcode Fuzzy Hash: 1d182d903384ef54af9e949262e63429243f6506efbbca7a92fa05d52bd1acf7
                                                        • Instruction Fuzzy Hash: 8EE0C239519350CFC3218E18E8854867BB1BFAB20030A8A8BD08287745C760AC008B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05222D20 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2639002fb8863ae0c58bb9691c9b07559187ea786febb440c8abeda49dc8d093
                                                        • Instruction ID: 98806e987a42a0cbd9f1c5a53b6f497d57c4bbf8789610c9db862261defdd715
                                                        • Opcode Fuzzy Hash: 2639002fb8863ae0c58bb9691c9b07559187ea786febb440c8abeda49dc8d093
                                                        • Instruction Fuzzy Hash: 54D0A77C57C794FFD32645505C5ABA43B265F2A701F450483D0855E1E7D0C654118716
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0522016F Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef0a5de1e6361b89a728c8bd3fb0f3dc3558a682e9daa6ba61460f4da93cd416
                                                        • Instruction ID: 25ffc9e6a6e0a2c44ba502142192926cd15bdb9cad902549111b76d634fd6c1a
                                                        • Opcode Fuzzy Hash: ef0a5de1e6361b89a728c8bd3fb0f3dc3558a682e9daa6ba61460f4da93cd416
                                                        • Instruction Fuzzy Hash: E3D05B31A55304CFDB151B75D45945C37A9EF993517004A79D422C77D1DF3BE871CA10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220650 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd3a027ab2c8ed01193edee0c28980b4561329e2fefd1699673d6dbf348c0219
                                                        • Instruction ID: c4ca747ab8175f4921d4d581d1821c720128baacd248f2815b631d5625eb326d
                                                        • Opcode Fuzzy Hash: fd3a027ab2c8ed01193edee0c28980b4561329e2fefd1699673d6dbf348c0219
                                                        • Instruction Fuzzy Hash: 8CD0A7754AD3D49FC31657B5181A4F9BBB79D93200704C8A6E88046962C4663CA3EAA3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AF23F4 Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286011381.0000000002AF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF2000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2af2000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4599888cfcf6c7950fac033a3f314af313a8d495a73007fee30bcba55d707f13
                                                        • Instruction ID: fa64942547ffc75205c19b3b809da465155b4243320486dd68fce23f6a352a45
                                                        • Opcode Fuzzy Hash: 4599888cfcf6c7950fac033a3f314af313a8d495a73007fee30bcba55d707f13
                                                        • Instruction Fuzzy Hash: 30D05E79245A814FD3278F1CD1A8B953B94AB91B09F4644FAEC008F663C7A8D581D210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02AF23BC Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286011381.0000000002AF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF2000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2af2000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ab7b6f254f99dd4ea4e703ad8ca72bdfbe65a1b2e2733d8578269607e533be8
                                                        • Instruction ID: 8bdf0021e039429ebe9254af07e95351a38d8d9c5c89b19796055d5b923a1487
                                                        • Opcode Fuzzy Hash: 0ab7b6f254f99dd4ea4e703ad8ca72bdfbe65a1b2e2733d8578269607e533be8
                                                        • Instruction Fuzzy Hash: F2D05E742006814FD715DF0CC1D4F5977D4AB81B04F0644E9BC008B266C7A8D881C600
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220180 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f514c0b2ec23120c7b2c4c0e423c2cc07d540e72f70dbb7a6a9463e1721ae869
                                                        • Instruction ID: ba55bfaff5e302eee0afedf8d8a28f9a853ac88890f243a99ca6c576be555cd1
                                                        • Opcode Fuzzy Hash: f514c0b2ec23120c7b2c4c0e423c2cc07d540e72f70dbb7a6a9463e1721ae869
                                                        • Instruction Fuzzy Hash: 07D01230A40308CFCB092BB4E05941C376EEB582463000C7CD80687744DF3BE871CA00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05222EC0 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bcf6369821c219f1927e2d1638274ed92097c966082f9973abb4b3cc9794c7f7
                                                        • Instruction ID: 90e76f241903d3bf65dd0cafe5d726ea62b9a34e9fa4a8c7f3ce4e00debd7115
                                                        • Opcode Fuzzy Hash: bcf6369821c219f1927e2d1638274ed92097c966082f9973abb4b3cc9794c7f7
                                                        • Instruction Fuzzy Hash: 26B092353A46096BEB5096B57888B66338C9B80A59F8404A1B80CC6901E556E8E03140
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05220660 Relevance: .0, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c8671ee739ce4835808b73cde1aa8eddb30c4c003b5d5e9e89161b674e906ac
                                                        • Instruction ID: c41073ce7e8b0cc866b02867d63a8f41acb994e9e62cd570a6073b54850ac046
                                                        • Opcode Fuzzy Hash: 1c8671ee739ce4835808b73cde1aa8eddb30c4c003b5d5e9e89161b674e906ac
                                                        • Instruction Fuzzy Hash: 12C02B744A5224CEC2049AB2180D839F20BEED1300300C831A501005248DF27CA1D8A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00A3524A Relevance: .6, Instructions: 585COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.285634821.0000000000A32000.00000002.00000001.01000000.00000005.sdmp, Offset: 00A30000, based on PE: true
                                                        • Associated: 00000004.00000002.285627445.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000004.00000002.285682783.0000000000A52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_a30000_dhcpmon.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                                                        • Instruction ID: 5ff89f8d4871d5361e33134530275cd8a36868bdc02713f38e39d0f15214f5ea
                                                        • Opcode Fuzzy Hash: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                                                        • Instruction Fuzzy Hash: 8632646184F7C14FD7235B788CB86A17FB1AE6321474E49CBC4C1CF4A3EA19691AC722
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0522306F Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.286363092.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_5220000_dhcpmon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eef701ce835dbf2759cbd2495c818f6d0fbf4bf38c5dfadce7d4fe536c232550
                                                        • Instruction ID: 1e97adf0f7e815e1b472788248b6588e005758839a26f2c0af1b29fc10b469b1
                                                        • Opcode Fuzzy Hash: eef701ce835dbf2759cbd2495c818f6d0fbf4bf38c5dfadce7d4fe536c232550
                                                        • Instruction Fuzzy Hash: 6A516C76F015169BD714DAA9C884A6EB7F3AFC8710F2A8174E409EB369DE34DD018B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%