Edit tour

Windows Analysis Report
4An07Q7I8G.exe

Overview

General Information

Sample Name:	4An07Q7I8G.exe
Original Sample Name:	b454c259c82c354cf5375ec490238507.exe
Analysis ID:	878387
MD5:	b454c259c82c354cf5375ec490238507
SHA1:	a0a3125c92df4657053f9001f38749a5d263471f
SHA256:	4188fbef59670a8fa8cee6a75514de835973823c58e66f6d5b622c695bd1ad07
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4An07Q7I8G.exe (PID: 5516 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 4900 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 5672 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

schtasks.exe (PID: 4700 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5724 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

4An07Q7I8G.exe (PID: 1252 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe 0 MD5: B454C259C82C354CF5375EC490238507)

4An07Q7I8G.exe (PID: 5904 cmdline: C:\Users\user\Desktop\4An07Q7I8G.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3348 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3224 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3636 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 5724 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

dhcpmon.exe (PID: 3956 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B454C259C82C354CF5375EC490238507)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435b5:$a: NanoCore 0x4360e:$a: NanoCore 0x4364b:$a: NanoCore 0x436c4:$a: NanoCore 0x56d6f:$a: NanoCore 0x56d84:$a: NanoCore 0x56db9:$a: NanoCore 0x43617:$b: ClientPlugin 0x43654:$b: ClientPlugin 0x43f52:$b: ClientPlugin 0x43f5f:$b: ClientPlugin 0x56b2b:$b: ClientPlugin 0x56b46:$b: ClientPlugin 0x56b76:$b: ClientPlugin 0x56d8d:$b: ClientPlugin 0x56dc2:$b: ClientPlugin 0x56ca3:$c: ProjectData 0x43a9f:$g: LogClientMessage 0x43a1f:$i: get_Connected 0x575f2:$j: #=q 0x57622:$j: #=q
00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4364b:$a1: NanoCore.ClientPluginHost 0x56db9:$a1: NanoCore.ClientPluginHost 0x4360e:$a2: NanoCore.ClientPlugin 0x56d84:$a2: NanoCore.ClientPlugin 0x439e2:$b1: get_BuilderSettings 0x5bcff:$b1: get_BuilderSettings 0x43699:$b4: IClientAppHost 0x43a53:$b6: AddHostEntry 0x43ac2:$b7: LogClientException 0x5bc6e:$b7: LogClientException 0x43a37:$b8: PipeExists 0x43686:$b9: IClientLoggingHost 0x56dd3:$b9: IClientLoggingHost
00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0xffb7:$b9: IClientLoggingHost
0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xda5:$a1: NanoCore.ClientPluginHost 0xd70:$a2: NanoCore.ClientPlugin 0xdbf:$b9: IClientLoggingHost
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6946b:$a: NanoCore 0x694c4:$a: NanoCore 0x69501:$a: NanoCore 0x6957a:$a: NanoCore 0x694cd:$b: ClientPlugin 0x6950a:$b: ClientPlugin 0x69e08:$b: ClientPlugin 0x69e15:$b: ClientPlugin 0x5f5e9:$e: KeepAlive 0x69955:$g: LogClientMessage 0x698d5:$i: get_Connected 0x598a1:$j: #=q 0x598d1:$j: #=q 0x5990d:$j: #=q 0x59935:$j: #=q 0x59965:$j: #=q 0x59995:$j: #=q 0x599c5:$j: #=q 0x599f5:$j: #=q 0x59a11:$j: #=q 0x59a41:$j: #=q
00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x69501:$a1: NanoCore.ClientPluginHost 0x694c4:$a2: NanoCore.ClientPlugin 0x5addb:$b1: get_BuilderSettings 0x69898:$b1: get_BuilderSettings 0x6954f:$b4: IClientAppHost 0x69909:$b6: AddHostEntry 0x5ad4a:$b7: LogClientException 0x69978:$b7: LogClientException 0x698ed:$b8: PipeExists 0x6953c:$b9: IClientLoggingHost
00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x34ec:$a1: NanoCore.ClientPluginHost 0x34c7:$a2: NanoCore.ClientPlugin 0x34dd:$b4: IClientAppHost 0x79cc:$b7: LogClientException 0x3516:$b9: IClientLoggingHost
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x47465:$x1: NanoCore.ClientPluginHost 0x7a085:$x1: NanoCore.ClientPluginHost 0xacaa5:$x1: NanoCore.ClientPluginHost 0x474a2:$x2: IClientNetworkHost 0x7a0c2:$x2: IClientNetworkHost 0xacae2:$x2: IClientNetworkHost 0x4afd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7dbf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb0615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x471cd:$a: NanoCore 0x471dd:$a: NanoCore 0x47411:$a: NanoCore 0x47425:$a: NanoCore 0x47465:$a: NanoCore 0x79ded:$a: NanoCore 0x79dfd:$a: NanoCore 0x7a031:$a: NanoCore 0x7a045:$a: NanoCore 0x7a085:$a: NanoCore 0xac80d:$a: NanoCore 0xac81d:$a: NanoCore 0xaca51:$a: NanoCore 0xaca65:$a: NanoCore 0xacaa5:$a: NanoCore 0x4722c:$b: ClientPlugin 0x4742e:$b: ClientPlugin 0x4746e:$b: ClientPlugin 0x79e4c:$b: ClientPlugin 0x7a04e:$b: ClientPlugin 0x7a08e:$b: ClientPlugin
00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x47465:$a1: NanoCore.ClientPluginHost 0x7a085:$a1: NanoCore.ClientPluginHost 0xacaa5:$a1: NanoCore.ClientPluginHost 0x47425:$a2: NanoCore.ClientPlugin 0x7a045:$a2: NanoCore.ClientPlugin 0xaca65:$a2: NanoCore.ClientPlugin 0x4937e:$b1: get_BuilderSettings 0x7bf9e:$b1: get_BuilderSettings 0xae9be:$b1: get_BuilderSettings 0x47281:$b2: ClientLoaderForm.resources 0x79ea1:$b2: ClientLoaderForm.resources 0xac8c1:$b2: ClientLoaderForm.resources 0x48a9e:$b3: PluginCommand 0x7b6be:$b3: PluginCommand 0xae0de:$b3: PluginCommand 0x47456:$b4: IClientAppHost 0x7a076:$b4: IClientAppHost 0xaca96:$b4: IClientAppHost 0x518d6:$b5: GetBlockHash 0x844f6:$b5: GetBlockHash 0xb6f16:$b5: GetBlockHash
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x693b3:$a: NanoCore 0x6940c:$a: NanoCore 0x69449:$a: NanoCore 0x694c2:$a: NanoCore 0x69415:$b: ClientPlugin 0x69452:$b: ClientPlugin 0x69d50:$b: ClientPlugin 0x69d5d:$b: ClientPlugin 0x5f531:$e: KeepAlive 0x6989d:$g: LogClientMessage 0x6981d:$i: get_Connected 0x597e9:$j: #=q 0x59819:$j: #=q 0x59855:$j: #=q 0x5987d:$j: #=q 0x598ad:$j: #=q 0x598dd:$j: #=q 0x5990d:$j: #=q 0x5993d:$j: #=q 0x59959:$j: #=q 0x59989:$j: #=q
0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x69449:$a1: NanoCore.ClientPluginHost 0x6940c:$a2: NanoCore.ClientPlugin 0x5ad23:$b1: get_BuilderSettings 0x697e0:$b1: get_BuilderSettings 0x69497:$b4: IClientAppHost 0x69851:$b6: AddHostEntry 0x5ac92:$b7: LogClientException 0x698c0:$b7: LogClientException 0x69835:$b8: PipeExists 0x69484:$b9: IClientLoggingHost
Process Memory Space: 4An07Q7I8G.exe PID: 5516	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe591a:$x1: NanoCore.ClientPluginHost 0xe5957:$x2: IClientNetworkHost 0xe943f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf44bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10048a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10b810:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 4An07Q7I8G.exe PID: 5516	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 4An07Q7I8G.exe PID: 5516	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe55e7:$a: NanoCore 0xe55f7:$a: NanoCore 0xe56b6:$a: NanoCore 0xe56c5:$a: NanoCore 0xe58c6:$a: NanoCore 0xe58da:$a: NanoCore 0xe591a:$a: NanoCore 0xf0b27:$a: NanoCore 0xf0b39:$a: NanoCore 0xf0b75:$a: NanoCore 0xfcaf4:$a: NanoCore 0xfcb06:$a: NanoCore 0xfcb42:$a: NanoCore 0x107e7a:$a: NanoCore 0x107e8c:$a: NanoCore 0x107ec8:$a: NanoCore 0xe5646:$b: ClientPlugin 0xe570f:$b: ClientPlugin 0xe58e3:$b: ClientPlugin 0xe5923:$b: ClientPlugin 0xf0b42:$b: ClientPlugin
Process Memory Space: 4An07Q7I8G.exe PID: 5516	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe591a:$a1: NanoCore.ClientPluginHost 0xe58da:$a2: NanoCore.ClientPlugin 0xe77e8:$b1: get_BuilderSettings 0xe569b:$b2: ClientLoaderForm.resources 0xe6f08:$b3: PluginCommand 0xe590b:$b4: IClientAppHost 0xefd33:$b5: GetBlockHash 0xe7e40:$b6: AddHostEntry 0xf2f57:$b6: AddHostEntry 0xfef24:$b6: AddHostEntry 0x10a2aa:$b6: AddHostEntry 0xebb33:$b7: LogClientException 0xf6a98:$b7: LogClientException 0x102a65:$b7: LogClientException 0x10ddeb:$b7: LogClientException 0xe7dad:$b8: PipeExists 0xf2ecb:$b8: PipeExists 0xfee98:$b8: PipeExists 0x10a21e:$b8: PipeExists 0xe5944:$b9: IClientLoggingHost
Process Memory Space: 4An07Q7I8G.exe PID: 5672	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11336a:$a1: NanoCore.ClientPluginHost 0x113345:$a2: NanoCore.ClientPlugin 0x11335b:$b4: IClientAppHost 0x1177e4:$b7: LogClientException 0x113394:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 3224	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x22e5:$x1: NanoCore.ClientPluginHost 0x14af3:$x1: NanoCore.ClientPluginHost 0x36023:$x1: NanoCore.ClientPluginHost 0x22ff:$x2: IClientNetworkHost 0x14b30:$x2: IClientNetworkHost 0x3603d:$x2: IClientNetworkHost 0x1b310:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c2cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3224	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3224	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x224f:$a: NanoCore 0x22a8:$a: NanoCore 0x22e5:$a: NanoCore 0x235e:$a: NanoCore 0x2c17:$a: NanoCore 0x2c6a:$a: NanoCore 0x2ca3:$a: NanoCore 0x2d16:$a: NanoCore 0xa2e8:$a: NanoCore 0xa2fb:$a: NanoCore 0xa32d:$a: NanoCore 0x147c0:$a: NanoCore 0x147d0:$a: NanoCore 0x1488f:$a: NanoCore 0x1489e:$a: NanoCore 0x14a9f:$a: NanoCore 0x14ab3:$a: NanoCore 0x14af3:$a: NanoCore 0x16c66:$a: NanoCore 0x16c78:$a: NanoCore 0x16cb4:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3224	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x22e5:$a1: NanoCore.ClientPluginHost 0x14af3:$a1: NanoCore.ClientPluginHost 0x36023:$a1: NanoCore.ClientPluginHost 0x22a8:$a2: NanoCore.ClientPlugin 0x14ab3:$a2: NanoCore.ClientPlugin 0x35fe6:$a2: NanoCore.ClientPlugin 0x265f:$b1: get_BuilderSettings 0x169ca:$b1: get_BuilderSettings 0x2f75f:$b1: get_BuilderSettings 0x43826:$b1: get_BuilderSettings 0x14874:$b2: ClientLoaderForm.resources 0x160ea:$b3: PluginCommand 0x2333:$b4: IClientAppHost 0x14ae4:$b4: IClientAppHost 0x36071:$b4: IClientAppHost 0x26d0:$b6: AddHostEntry 0x36384:$b6: AddHostEntry 0x273f:$b7: LogClientException 0x2f6ce:$b7: LogClientException 0x43795:$b7: LogClientException 0x26b4:$b8: PipeExists
Process Memory Space: 4An07Q7I8G.exe PID: 5904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 4An07Q7I8G.exe PID: 5904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x244d:$a: NanoCore 0x2461:$a: NanoCore 0x27e4:$a: NanoCore 0x12c4f:$a: NanoCore 0x12c64:$a: NanoCore 0x12c99:$a: NanoCore 0x1400c:$a: NanoCore 0x1401f:$a: NanoCore 0x14051:$a: NanoCore 0x1beb6:$a: NanoCore 0x1fbaf:$a: NanoCore 0x1fc0a:$a: NanoCore 0x1fc7e:$a: NanoCore 0x35107:$a: NanoCore 0x35160:$a: NanoCore 0x3519d:$a: NanoCore 0x35216:$a: NanoCore 0x359a4:$a: NanoCore 0x359f7:$a: NanoCore 0x35a30:$a: NanoCore 0x35aa3:$a: NanoCore
Process Memory Space: 4An07Q7I8G.exe PID: 5904	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x12c99:$a1: NanoCore.ClientPluginHost 0x3519d:$a1: NanoCore.ClientPluginHost 0x12c64:$a2: NanoCore.ClientPlugin 0x35160:$a2: NanoCore.ClientPlugin 0x2e8d9:$b1: get_BuilderSettings 0x351eb:$b4: IClientAppHost 0x19ac1:$b5: GetBlockHash 0x6058:$b6: AddHostEntry 0x702d:$b6: AddHostEntry 0x354fe:$b6: AddHostEntry 0x159f6:$b7: LogClientException 0x169eb:$b7: LogClientException 0x2e848:$b7: LogClientException 0x5fc5:$b8: PipeExists 0x6fa1:$b8: PipeExists 0x354e2:$b8: PipeExists 0x12cb3:$b9: IClientLoggingHost 0x351d8:$b9: IClientLoggingHost
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.dhcpmon.exe.30d968c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
9.2.dhcpmon.exe.30d968c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.4An07Q7I8G.exe.40595f8.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.4An07Q7I8G.exe.40595f8.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin
10.2.4An07Q7I8G.exe.40595f8.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0xd9c7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.45122d8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.4An07Q7I8G.exe.45122d8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.4An07Q7I8G.exe.45122d8.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c060c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c060c.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c060c.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c4c35.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.4An07Q7I8G.exe.4544ef8.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x14610:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0x14623:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0x14631:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x144cd:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x14e1c:$j: #=q 0x14e4c:$j: #=q
9.2.dhcpmon.exe.40bb7d6.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.dhcpmon.exe.40c060c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.dhcpmon.exe.40c060c.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
9.2.dhcpmon.exe.40c060c.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x74ae0:$c: ProjectData 0xe2d00:$c: ProjectData 0x10a82:$d: DESCrypto
0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x471ad:$x1: NanoCore.ClientPluginHost 0x79dcd:$x1: NanoCore.ClientPluginHost 0xac7ed:$x1: NanoCore.ClientPluginHost 0x471ea:$x2: IClientNetworkHost 0x79e0a:$x2: IClientNetworkHost 0xac82a:$x2: IClientNetworkHost 0x4ad1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7d93d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb035d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46f15:$x1: NanoCore Client 0x46f25:$x1: NanoCore Client 0x79b35:$x1: NanoCore Client 0x79b45:$x1: NanoCore Client 0xac555:$x1: NanoCore Client 0xac565:$x1: NanoCore Client 0x4716d:$x2: NanoCore.ClientPlugin 0x79d8d:$x2: NanoCore.ClientPlugin 0xac7ad:$x2: NanoCore.ClientPlugin 0x471ad:$x3: NanoCore.ClientPluginHost 0x79dcd:$x3: NanoCore.ClientPluginHost 0xac7ed:$x3: NanoCore.ClientPluginHost 0x47162:$i1: IClientApp 0x79d82:$i1: IClientApp 0xac7a2:$i1: IClientApp 0x47183:$i2: IClientData 0x79da3:$i2: IClientData 0xac7c3:$i2: IClientData 0x4718f:$i3: IClientNetwork 0x79daf:$i3: IClientNetwork 0xac7cf:$i3: IClientNetwork
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46f15:$a: NanoCore 0x46f25:$a: NanoCore 0x47159:$a: NanoCore 0x4716d:$a: NanoCore 0x471ad:$a: NanoCore 0x79b35:$a: NanoCore 0x79b45:$a: NanoCore 0x79d79:$a: NanoCore 0x79d8d:$a: NanoCore 0x79dcd:$a: NanoCore 0xac555:$a: NanoCore 0xac565:$a: NanoCore 0xac799:$a: NanoCore 0xac7ad:$a: NanoCore 0xac7ed:$a: NanoCore 0x46f74:$b: ClientPlugin 0x47176:$b: ClientPlugin 0x471b6:$b: ClientPlugin 0x79b94:$b: ClientPlugin 0x79d96:$b: ClientPlugin 0x79dd6:$b: ClientPlugin
0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x471ad:$a1: NanoCore.ClientPluginHost 0x79dcd:$a1: NanoCore.ClientPluginHost 0xac7ed:$a1: NanoCore.ClientPluginHost 0x4716d:$a2: NanoCore.ClientPlugin 0x79d8d:$a2: NanoCore.ClientPlugin 0xac7ad:$a2: NanoCore.ClientPlugin 0x490c6:$b1: get_BuilderSettings 0x7bce6:$b1: get_BuilderSettings 0xae706:$b1: get_BuilderSettings 0x46fc9:$b2: ClientLoaderForm.resources 0x79be9:$b2: ClientLoaderForm.resources 0xac609:$b2: ClientLoaderForm.resources 0x487e6:$b3: PluginCommand 0x7b406:$b3: PluginCommand 0xade26:$b3: PluginCommand 0x4719e:$b4: IClientAppHost 0x79dbe:$b4: IClientAppHost 0xac7de:$b4: IClientAppHost 0x5161e:$b5: GetBlockHash 0x8423e:$b5: GetBlockHash 0xb6c5e:$b5: GetBlockHash
Click to see the 56 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\4An07Q7I8G.exe, ParentImage: C:\Users\user\Desktop\4An07Q7I8G.exe, ParentProcessId: 5672, ParentProcessName: 4An07Q7I8G.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp, ProcessId: 4700, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4An07Q7I8G.exe, ProcessId: 5672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971040322816718 05/30/23-16:40:13.977539
SID:	2816718
Source Port:	49710
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970540322816766 05/30/23-16:39:33.706408
SID:	2816766
Source Port:	49705
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971540322816766 05/30/23-16:40:50.973824
SID:	2816766
Source Port:	49715
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971840322816766 05/30/23-16:41:18.114338
SID:	2816766
Source Port:	49718
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972140322816766 05/30/23-16:41:38.417178
SID:	2816766
Source Port:	49721
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972740322816718 05/30/23-16:42:22.509655
SID:	2816718
Source Port:	49727
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970840322816766 05/30/23-16:40:00.413491
SID:	2816766
Source Port:	49708
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971140322816766 05/30/23-16:40:21.553606
SID:	2816766
Source Port:	49711
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497252841753 05/30/23-16:42:09.874096
SID:	2841753
Source Port:	4032
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971740322816718 05/30/23-16:41:08.713034
SID:	2816718
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497212810290 05/30/23-16:41:38.152963
SID:	2810290
Source Port:	4032
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497312841753 05/30/23-16:42:49.623506
SID:	2841753
Source Port:	4032
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497332841753 05/30/23-16:43:01.178074
SID:	2841753
Source Port:	4032
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972240322816766 05/30/23-16:41:46.251062
SID:	2816766
Source Port:	49722
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970640322816766 05/30/23-16:39:46.341150
SID:	2816766
Source Port:	49706
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971240322816766 05/30/23-16:40:27.702458
SID:	2816766
Source Port:	49712
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 141.98.6.167 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.167192.168.2.74032497072810290 05/30/23-16:39:52.215019
SID:	2810290
Source Port:	4032
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970740322816766 05/30/23-16:39:52.717055
SID:	2816766
Source Port:	49707
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971640322816766 05/30/23-16:41:00.324127
SID:	2816766
Source Port:	49716
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972640322816766 05/30/23-16:42:16.962875
SID:	2816766
Source Port:	49726
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973240322816766 05/30/23-16:42:56.061988
SID:	2816766
Source Port:	49732
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972340322816766 05/30/23-16:41:55.674302
SID:	2816766
Source Port:	49723
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971340322816766 05/30/23-16:40:34.783339
SID:	2816766
Source Port:	49713
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971040322816766 05/30/23-16:40:14.977403
SID:	2816766
Source Port:	49710
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971740322816766 05/30/23-16:41:08.713034
SID:	2816766
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972740322816766 05/30/23-16:42:23.748746
SID:	2816766
Source Port:	49727
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970440322816766 05/30/23-16:39:25.146472
SID:	2816766
Source Port:	49704
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971940322816766 05/30/23-16:41:24.254865
SID:	2816766
Source Port:	49719
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674971440322816766 05/30/23-16:40:42.455969
SID:	2816766
Source Port:	49714
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674970940322816766 05/30/23-16:40:08.035340
SID:	2816766
Source Port:	49709
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972040322816766 05/30/23-16:41:31.469338
SID:	2816766
Source Port:	49720
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972440322816766 05/30/23-16:42:04.621976
SID:	2816766
Source Port:	49724
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973040322816766 05/30/23-16:42:44.464795
SID:	2816766
Source Port:	49730
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674972840322816766 05/30/23-16:42:31.313902
SID:	2816766
Source Port:	49728
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.167

Timestamp:	192.168.2.7141.98.6.1674973440322816766 05/30/23-16:43:07.123160
SID:	2816766
Source Port:	49734
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: 4An07Q7I8G.exe	ReversingLabs: Detection: 24%
Source: 4An07Q7I8G.exe	Virustotal: Detection: 34%			Perma Link

Antivirus detection for URL or domain

Source: jasonbourneblack.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: jasonbourneblack.ddns.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 24%

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Machine Learning detection for sample

Source: 4An07Q7I8G.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 4An07Q7I8G.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4An07Q7I8G.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AxiBQ.pdb source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbSHA256 source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbS source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 4x nop then jmp 07AB9A25h	0_2_07AB8E58
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 4x nop then jmp 06F89A25h	7_2_06F88E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06879A25h	8_2_06878E58

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49704 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49705 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49706 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 141.98.6.167:4032 -> 192.168.2.7:49707
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49707 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49708 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49709 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49710 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49710 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49711 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49712 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49713 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49714 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49715 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49716 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49717 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49717 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49718 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49719 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49720 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 141.98.6.167:4032 -> 192.168.2.7:49721
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49721 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49722 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49723 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49724 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49725
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49726 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49727 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.7:49727 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49728 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49730 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49731
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49732 -> 141.98.6.167:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 141.98.6.167:4032 -> 192.168.2.7:49733
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49734 -> 141.98.6.167:4032

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: jasonbourneblack.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: jasonbourneblack.ddns.net

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 141.98.6.167:4032

Source: 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikip
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 4An07Q7I8G.exe, 00000000.00000003.352081387.0000000006252000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 4An07Q7I8G.exe, 00000000.00000003.355660959.0000000006286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersN
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: 4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comts
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 4An07Q7I8G.exe, 00000000.00000003.351944589.0000000006242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: 4An07Q7I8G.exe, 00000000.00000003.351720872.000000000624A000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.351851946.000000000624A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/SCz
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 4An07Q7I8G.exe, 00000000.00000003.358467096.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/-
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 4An07Q7I8G.exe, 00000000.00000003.348952309.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349006793.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349107893.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349149259.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349055971.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.348875232.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349026832.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349081700.0000000006264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comFUw
Source: 4An07Q7I8G.exe, 00000000.00000003.354701779.0000000006286000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.354764386.0000000006286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 4An07Q7I8G.exe, 00000000.00000003.349978172.0000000006243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net-t
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: jasonbourneblack.ddns.net

Source: 4An07Q7I8G.exe, 00000000.00000002.366438687.00000000014E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: 4An07Q7I8G.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.30d968c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.4An07Q7I8G.exe.30595d4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315C284	0_2_0315C284
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315E650	0_2_0315E650
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_0315E640	0_2_0315E640
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB8E58	0_2_07AB8E58
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB8E4D	0_2_07AB8E4D
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB04F0	0_2_07AB04F0
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB2430	0_2_07AB2430
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB1020	0_2_07AB1020
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB0040	0_2_07AB0040
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AC284	7_2_012AC284
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AE640	7_2_012AE640
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_012AE650	7_2_012AE650
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F8AEE8	7_2_06F8AEE8
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F88E58	7_2_06F88E58
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F804F0	7_2_06F804F0
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F82430	7_2_06F82430
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F80040	7_2_06F80040
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F81020	7_2_06F81020
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F88E48	7_2_06F88E48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8C284	8_2_00B8C284
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8E650	8_2_00B8E650
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_00B8E640	8_2_00B8E640
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06878E58	8_2_06878E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_068704F0	8_2_068704F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06872430	8_2_06872430
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06871020	8_2_06871020
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06870040	8_2_06870040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF5410	8_2_06AF5410
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF0040	8_2_06AF0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF8E11	8_2_06AF8E11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFBB06	8_2_06AFBB06
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF58CE	8_2_06AF58CE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF9990	8_2_06AF9990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFE6F9	8_2_06AFE6F9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF95A8	8_2_06AF95A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF95B8	8_2_06AF95B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF0006	8_2_06AF0006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFE050	8_2_06AFE050
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1AC5	8_2_06AF1AC5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1828	8_2_06AF1828
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1817	8_2_06AF1817
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AF1AC8	8_2_06AF1AC8

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process Stats: CPU usage > 98%

Source: 4An07Q7I8G.exe, 00000000.00000002.386674839.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.366438687.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000000.346160675.000000000100C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.367447161.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.400346227.0000000003E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.400346227.0000000003E82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.394868341.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 00000007.00000002.398108722.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004058000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.425979907.0000000001079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004071000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 4An07Q7I8G.exe
Source: 4An07Q7I8G.exe	Binary or memory string: OriginalFilenameAxiBQ.exe4 vs 4An07Q7I8G.exe

Source: 4An07Q7I8G.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4An07Q7I8G.exe	ReversingLabs: Detection: 24%
Source: 4An07Q7I8G.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File read: C:\Users\user\Desktop\4An07Q7I8G.exe

Jump to behavior

Source: 4An07Q7I8G.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/11@32/1

Source: 4An07Q7I8G.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_01
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{540c4d56-ad4d-4ca4-9f9f-305dba1da640}

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4An07Q7I8G.exe, 00000000.00000003.354914939.000000000625A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Kristen is a Trademark of International Typeface Corporation.slnt

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 4An07Q7I8G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4An07Q7I8G.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 4An07Q7I8G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AxiBQ.pdb source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbSHA256 source: 4An07Q7I8G.exe, dhcpmon.exe.2.dr
Source:	Binary string: AxiBQ.pdbS source: 4An07Q7I8G.exe, 00000002.00000003.374904648.00000000013EF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 4An07Q7I8G.exe, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.4An07Q7I8G.exe.f50000.0.unpack, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.2.dr, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 0_2_07AB5600 pushad ; iretd	0_2_07AB5603
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F85600 pushad ; iretd	7_2_06F85603
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F87FFA push es; retf	7_2_06F88014
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Code function: 7_2_06F87F09 push es; retf	7_2_06F87F0C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06875600 pushad ; iretd	8_2_06875603
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06877B6B push es; ret	8_2_06877B6C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFC2A0 push esp; iretd	8_2_06AFC2A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFB0C3 push eax; ret	8_2_06AFB0C9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06AFB0C0 pushad ; ret	8_2_06AFB0C1

Source: initial sample	Static PE information: section name: .text entropy: 7.701181340859135
Source: initial sample	Static PE information: section name: .text entropy: 7.701181340859135

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

File opened: C:\Users\user\Desktop\4An07Q7I8G.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 2400	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 6920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 324	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 1184	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 3424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2948	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2200	Thread sleep time: -41202s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4012	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: threadDelayed 9254	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: foregroundWindowGot 825	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Window / User API: foregroundWindowGot 700	Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Memory written: C:\Users\user\Desktop\4An07Q7I8G.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Memory written: C:\Users\user\Desktop\4An07Q7I8G.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Process created: C:\Users\user\Desktop\4An07Q7I8G.exe C:\Users\user\Desktop\4An07Q7I8G.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: 4An07Q7I8G.exe, 00000002.00000003.615288362.00000000037BF000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000002.00000003.615288362.0000000003798000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000002.00000003.615288362.0000000003745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 4An07Q7I8G.exe, 00000002.00000003.615288362.00000000037BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager g4

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Users\user\Desktop\4An07Q7I8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\4An07Q7I8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\4An07Q7I8G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: 4An07Q7I8G.exe, 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 4An07Q7I8G.exe, 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.4An07Q7I8G.exe.40595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c4c35.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40bb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.dhcpmon.exe.40c060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.4544ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.45122d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4An07Q7I8G.exe.44db2b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4An07Q7I8G.exe PID: 5904, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	21 Input Capture	11 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4An07Q7I8G.exe	24%	ReversingLabs	Win32.Trojan.Pwsx
4An07Q7I8G.exe	35%	Virustotal		Browse
4An07Q7I8G.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	24%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
jasonbourneblack.ddns.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn&	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/SCz	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/-	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comts	0%	Avira URL Cloud	safe
http://www.typography.net-t	0%	Avira URL Cloud	safe
jasonbourneblack.ddns.net	100%	Avira URL Cloud	malware
http://www.galapagosdesign.com/-	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comFUw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jasonbourneblack.ddns.net	141.98.6.167	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jasonbourneblack.ddns.net	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	4An07Q7I8G.exe, 00000000.00000003.352081387.0000000006252000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comts	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wikip	4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersN	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/-	4An07Q7I8G.exe, 00000000.00000003.358467096.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.358415531.000000000624D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.typography.netD	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	4An07Q7I8G.exe, 00000000.00000003.358377438.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comm	4An07Q7I8G.exe, 00000000.00000003.360991127.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361063234.000000000624D000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.361333707.000000000624C000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.374757092.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.net-t	4An07Q7I8G.exe, 00000000.00000003.349978172.0000000006243000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/SCz	4An07Q7I8G.exe, 00000000.00000003.351720872.000000000624A000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.351851946.000000000624A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn&	4An07Q7I8G.exe, 00000000.00000003.351944589.0000000006242000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	4An07Q7I8G.exe, 00000000.00000003.354701779.0000000006286000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000002.375206014.0000000007352000.00000004.00000800.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.354764386.0000000006286000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	4An07Q7I8G.exe, 00000000.00000003.355660959.0000000006286000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comFUw	4An07Q7I8G.exe, 00000000.00000003.348952309.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349006793.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349107893.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349149259.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349055971.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.348875232.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349026832.0000000006264000.00000004.00000020.00020000.00000000.sdmp, 4An07Q7I8G.exe, 00000000.00000003.349081700.0000000006264000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.6.167	jasonbourneblack.ddns.net	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878387
Start date and time:	2023-05-30 16:38:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	4An07Q7I8G.exe
Original Sample Name:	b454c259c82c354cf5375ec490238507.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/11@32/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 172 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:39:11	API Interceptor	1849x Sleep call for process: 4An07Q7I8G.exe modified
16:39:16	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\4An07Q7I8G.exe" s>$(Arg0)
16:39:16	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:39:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:39:24	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.98.6.167	x4VGltSj0j.exe	Get hash	malicious	Nanocore	Browse
	M8Hh0nRCxM.exe	Get hash	malicious	Nanocore	Browse
	pQ8I1Q95pk.exe	Get hash	malicious	Nanocore	Browse
	1UScideLXZ.exe	Get hash	malicious	Nanocore	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jasonbourneblack.ddns.net	x4VGltSj0j.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167
	M8Hh0nRCxM.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167
	pQ8I1Q95pk.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167
	1UScideLXZ.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CMCSUS	https://www.bing.com/ck/a?!&&p=79845ec745a4255fJmltdHM9MTY4NTE0NTYwMCZpZ3VpZD0yNDYzOTBhOS1kZDMyLTY1Y2ItMDM5ZC04M2I3ZGM1MDY0NzImaW5zaWQ9NTIwOQ&ptn=3&hsh=3&fclid=246390a9-dd32-65cb-039d-83b7dc506472&u=a1aHR0cHM6Ly9mdXJuaXphLmNvbS9wcm9kdWN0L2VsbGVuLXVwaG9sc3RlcmVkLXNjb29wZWQtYXJtLXNvZmEtd2l0aC1zcXVhcmUtdHVmdGluZy1icm9va3NpZGUtaG9tZS8#M=abuse@fbi.gov	Get hash	malicious	HTMLPhisher	Browse	95.214.24.140
	RPxMx1uuBh.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	K0zAFb4x67.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	py75hHwvGP.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	0P1uXL1t2D.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	APLlhTxRDG.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	1Q0c6cE9If.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	Dx3iLWPHgo.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	03UpBUxBjY.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	58EZ8ehLmv.exe	Get hash	malicious	Amadey, RedLine	Browse	95.214.27.98
	nKluzn9XGu.exe	Get hash	malicious	Amadey, RedLine	Browse	95.214.27.98
	muKvSEw98J.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	tI2nnjd6Kh.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	x4VGltSj0j.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167
	Quotation_Request.js	Get hash	malicious	WSHRAT	Browse	141.98.6.215
	DO-COAU8034456940.xls	Get hash	malicious	GuLoader	Browse	141.98.6.22
	1EwIywYAJw.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	gpiQaD7JJyHJILw.exe	Get hash	malicious	AsyncRAT	Browse	95.214.27.44
	HQVL2NYefa.rtf	Get hash	malicious	GuLoader	Browse	45.66.230.128
	ssHeDpcTJD.exe	Get hash	malicious	GuLoader	Browse	141.98.6.22

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	782336
Entropy (8bit):	7.670020600922918
Encrypted:	false
SSDEEP:	12288:zPRP2B0xTGlxNqvNu2hZ+nUEsn9iwx241iWKWHy4x7Qm7MFPkhTYZHqX1kEao0JQ:zZPLaVUH999V20iWKW33IPGT0G1kEaTy
MD5:	B454C259C82C354CF5375EC490238507
SHA1:	A0A3125C92DF4657053F9001F38749A5D263471F
SHA-256:	4188FBEF59670A8FA8CEE6A75514DE835973823C58E66F6D5B622C695BD1AD07
SHA-512:	959685935CD0B6A6BA6A23A2E1BAFF1D1119B5EED401852173EBD0E1A9A6B5A7B350010F27BFB7C1742D11BE01DC84E283BD21F2E64FB1BD33CF3167C7FE654A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{Sud..............0......P......J.... ........@.. ....................... ............@.....................................O.......<:.............................T............................................ ............... ..H............text...P.... ...................... ..`.rsrc...<:.......@..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.115647572660457
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mSxtn:cbk4oL600QydbQxIYODOLedq3Uj
MD5:	1DDB387C3D6CBA069AACAB109BD51E64
SHA1:	8D8BC1D64B435E009B65674A5FC18202976AC4DC
SHA-256:	9E22400F410B4D6556DA1E47AAC6E740BDDB9BBF54EC672317516D227BC8C05B
SHA-512:	CC61745804FCF1717A3C71224FF1076351749B0A6D25058A5FA3E9B239C828F8E04D48E963D670E157BF161EA84EBC1D0969E8A987AA299E61DF6F3707E502A0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:ExC9:V
MD5:	F5560F152CDF86389BC12DF27D0AB13E
SHA1:	0AC7E5A1020C73D9E8D5EBB670F4010626D946AD
SHA-256:	A44CC5DBFA8C587AE50220A2E855BC22372B475375AE594695BF92B55F24C53B
SHA-512:	C8F181435AF609BDD45423E2AB74589A0F54393F682A1341E506966E2C0598A3650CC730EBC408F4D97D4481ADB74F13E33745CFDB70D342B03CC60B1FAAE938
Malicious:	true
Preview:	k{g.ga.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\4An07Q7I8G.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.39146321255865
Encrypted:	false
SSDEEP:	3:oN0naRRRkL40SsdiLAC:oNcSRCQsgLN
MD5:	BD43240CB9E3E459B9C2985C27CB8FAB
SHA1:	AC9A4D13C5BE671980909A49E420A9D1C7000514
SHA-256:	47371587121EA0B8D8246C94BC5FA50C31FBF1361F7AAFB357501C00AF670F94
SHA-512:	F96A8ED5804BDB9B1DC4D318825F67CA634FD31DC7AC7858F20E6553B08FB38C28F43CB09A50D8B23C507F47A9D687D045D8E6F24A3CEEC90464D0C3E77D6574
Malicious:	false
Preview:	C:\Users\user\Desktop\4An07Q7I8G.exe

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.670020600922918
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	4An07Q7I8G.exe
File size:	782336
MD5:	b454c259c82c354cf5375ec490238507
SHA1:	a0a3125c92df4657053f9001f38749a5d263471f
SHA256:	4188fbef59670a8fa8cee6a75514de835973823c58e66f6d5b622c695bd1ad07
SHA512:	959685935cd0b6a6ba6a23a2e1baff1d1119b5eed401852173ebd0e1a9a6b5a7b350010f27bfb7c1742d11be01dc84e283bd21f2e64fb1bd33cf3167c7fe654a
SSDEEP:	12288:zPRP2B0xTGlxNqvNu2hZ+nUEsn9iwx241iWKWHy4x7Qm7MFPkhTYZHqX1kEao0JQ:zZPLaVUH999V20iWKW33IPGT0G1kEaTy
TLSH:	55F422287B57802FD5831BB408D87B7560FD82DAB872E7231E5792D9DB6BF096802317
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{Sud..............0......P......J.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	94969edbd9f8d9c6

Static PE Info

General

Entrypoint:	0x4ba54a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6475537B [Tue May 30 01:38:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba4f8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x3a3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb94c8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb8550	0xb9000	False	0.9298313450168919	data	7.701181340859135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x3a3c	0x4000	False	0.8494873046875	data	7.3969246343448285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x1000	False	0.0087890625	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbc0c8	0x36fd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xbf7d8	0x14	data
RT_VERSION	0xbf7fc	0x23c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7141.98.6.1674971040322816718 05/30/23-16:40:13.977539	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49710	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970540322816766 05/30/23-16:39:33.706408	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971540322816766 05/30/23-16:40:50.973824	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971840322816766 05/30/23-16:41:18.114338	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49718	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972140322816766 05/30/23-16:41:38.417178	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49721	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972740322816718 05/30/23-16:42:22.509655	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49727	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970840322816766 05/30/23-16:40:00.413491	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971140322816766 05/30/23-16:40:21.553606	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497252841753 05/30/23-16:42:09.874096	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49725	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674971740322816718 05/30/23-16:41:08.713034	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49717	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497212810290 05/30/23-16:41:38.152963	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	4032	49721	141.98.6.167	192.168.2.7
141.98.6.167192.168.2.74032497312841753 05/30/23-16:42:49.623506	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49731	141.98.6.167	192.168.2.7
141.98.6.167192.168.2.74032497332841753 05/30/23-16:43:01.178074	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49733	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674972240322816766 05/30/23-16:41:46.251062	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49722	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970640322816766 05/30/23-16:39:46.341150	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971240322816766 05/30/23-16:40:27.702458	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	4032	192.168.2.7	141.98.6.167
141.98.6.167192.168.2.74032497072810290 05/30/23-16:39:52.215019	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	4032	49707	141.98.6.167	192.168.2.7
192.168.2.7141.98.6.1674970740322816766 05/30/23-16:39:52.717055	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971640322816766 05/30/23-16:41:00.324127	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972640322816766 05/30/23-16:42:16.962875	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49726	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973240322816766 05/30/23-16:42:56.061988	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49732	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972340322816766 05/30/23-16:41:55.674302	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971340322816766 05/30/23-16:40:34.783339	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971040322816766 05/30/23-16:40:14.977403	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971740322816766 05/30/23-16:41:08.713034	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972740322816766 05/30/23-16:42:23.748746	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49727	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970440322816766 05/30/23-16:39:25.146472	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971940322816766 05/30/23-16:41:24.254865	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49719	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674971440322816766 05/30/23-16:40:42.455969	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674970940322816766 05/30/23-16:40:08.035340	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972040322816766 05/30/23-16:41:31.469338	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972440322816766 05/30/23-16:42:04.621976	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49724	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973040322816766 05/30/23-16:42:44.464795	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49730	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674972840322816766 05/30/23-16:42:31.313902	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49728	4032	192.168.2.7	141.98.6.167
192.168.2.7141.98.6.1674973440322816766 05/30/23-16:43:07.123160	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49734	4032	192.168.2.7	141.98.6.167

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 16:39:22.476109982 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.503236055 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.503346920 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.857084036 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:22.934726954 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.956017017 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:22.999768019 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.031047106 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.143770933 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.223859072 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285304070 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285352945 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285381079 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285412073 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.285414934 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.285468102 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.317507029 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.317559004 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.317723989 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.350073099 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379556894 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379605055 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379625082 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379645109 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379682064 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379728079 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379739046 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379745960 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379748106 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379757881 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.379801035 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.379825115 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408036947 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408082008 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408102036 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408109903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408127069 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408138990 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408157110 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408157110 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408170938 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.408216000 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.408308983 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.434542894 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434588909 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434614897 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434638977 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434649944 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.434663057 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.434695005 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461402893 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461447001 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461464882 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461474895 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461499929 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461512089 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.461528063 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.461565971 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488554955 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488667011 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488687992 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488706112 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488725901 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488734961 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488745928 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488759041 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.488765001 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.488782883 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.515285015 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515317917 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515336037 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515350103 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515362978 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515382051 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515399933 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.515427113 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.515456915 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.541888952 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541934013 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541963100 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541990042 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.541990995 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542016983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542037010 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542068005 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542093992 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542109966 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.542129993 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.542179108 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569458961 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569509983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569547892 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569580078 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569582939 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569618940 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569627047 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569664955 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569695950 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569700003 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.569727898 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569758892 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.569765091 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.596297979 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596333027 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596353054 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.596357107 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596379995 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596390963 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.596404076 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596426010 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596436977 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.596448898 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596472025 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596482038 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.596494913 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.596527100 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.623508930 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.623969078 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.623992920 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624011993 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624030113 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624028921 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.624049902 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624056101 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.624068022 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624085903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624100924 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.624104023 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624123096 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624129057 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.624142885 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.624156952 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650470018 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650511026 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650528908 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650547028 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650552034 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650566101 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650577068 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650584936 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650602102 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650603056 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650623083 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650640965 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650641918 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650659084 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650676966 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.650677919 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.650715113 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678008080 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678041935 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678066015 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678082943 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678088903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678112984 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678124905 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678136110 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678158998 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678169012 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678181887 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678205013 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678215027 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678229094 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678251982 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678271055 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.678273916 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678303957 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.678337097 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.704895973 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.704951048 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.704960108 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.704993010 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705033064 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705044031 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.705073118 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705111980 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705121040 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.705151081 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705189943 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705193996 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.705228090 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705265999 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.705269098 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705312014 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705353975 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705359936 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.705394983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.705452919 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.731941938 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732027054 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732089043 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732103109 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732146978 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732203960 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732204914 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732333899 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732398987 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732400894 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732459068 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732520103 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732532024 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732590914 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732650995 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732652903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732721090 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732777119 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732779980 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732841015 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.732896090 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.732908010 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760683060 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760749102 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760768890 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.760807991 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760860920 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760864019 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.760911942 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.760962963 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.760972977 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761023998 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761075020 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761075974 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.761126041 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761178970 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761181116 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.761229992 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761282921 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.761286020 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761337042 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761390924 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.761409044 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788084030 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788139105 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788163900 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788183928 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788187027 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788212061 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788217068 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788235903 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788252115 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788259983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788295984 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788319111 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788328886 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788341999 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788363934 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788377047 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788387060 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788408995 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788409948 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788433075 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788458109 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.788461924 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.788522005 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815243959 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815278053 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815304995 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815334082 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815342903 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815376997 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815390110 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815417051 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815440893 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815459013 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815466881 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815490961 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815515995 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815519094 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815551996 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815565109 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815577984 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815603018 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815623045 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815627098 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815650940 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815665960 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.815674067 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815700054 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.815722942 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842142105 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842192888 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842206001 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842221022 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842250109 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842257977 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842274904 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842300892 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842322111 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842324018 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842350960 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842376947 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842395067 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842403889 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842427015 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842432022 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842456102 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842477083 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842489004 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842514038 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842533112 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842540026 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842571974 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842582941 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.842597961 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.842634916 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869437933 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869478941 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869504929 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869528055 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869530916 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869556904 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869574070 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869582891 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869610071 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869623899 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869635105 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869662046 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869671106 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869685888 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869713068 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869718075 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869738102 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869762897 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869770050 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869802952 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869843960 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869865894 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869893074 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869918108 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869927883 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.869942904 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869970083 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.869978905 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896390915 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896429062 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896454096 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896476984 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896501064 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896521091 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896521091 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896528959 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896553993 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896553993 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896579981 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896606922 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896621943 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896631002 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896655083 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896661997 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896680117 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896699905 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896708965 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896735907 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896744013 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896764040 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896787882 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896795988 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896810055 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896832943 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896842957 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.896857977 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.896898985 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923335075 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923404932 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923451900 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923459053 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923499107 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923541069 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923544884 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923592091 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923629999 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923636913 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923682928 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923719883 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923727989 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923773050 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923815966 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923818111 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923862934 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923908949 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923933029 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.923954964 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.923999071 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.924000025 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924046040 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924087048 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.924104929 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924149990 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924304008 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.924314022 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924360037 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.924401999 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.924405098 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951338053 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951404095 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951423883 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951452017 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951459885 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951476097 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951484919 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951494932 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951513052 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951518059 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951534033 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951562881 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951565027 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951581955 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951601028 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951615095 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951620102 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951637983 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951644897 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951657057 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951675892 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951683998 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951694012 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951713085 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951721907 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951730967 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951749086 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951756001 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951766968 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951785088 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.951798916 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.951828957 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:23.978152990 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.978197098 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.978229046 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:23.978245020 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:24.019311905 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:25.146471977 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:25.223134041 CEST	4032	49704	141.98.6.167	192.168.2.7
May 30, 2023 16:39:25.636862040 CEST	49704	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:32.635572910 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:32.662270069 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:32.662406921 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:32.662775040 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:32.742964983 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:32.768193007 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:32.925858974 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:32.952634096 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:33.035708904 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:33.089951992 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:33.175321102 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:33.360732079 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:33.426443100 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:33.452780008 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:33.535752058 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:33.706408024 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:33.784140110 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:34.402671099 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:34.484363079 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:34.691819906 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:34.718858957 CEST	4032	49705	141.98.6.167	192.168.2.7
May 30, 2023 16:39:34.849586010 CEST	49705	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:44.895090103 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:44.921485901 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:44.921643019 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:44.930366993 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.012764931 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.012864113 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.093333960 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.110244989 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.117049932 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.143975019 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.206327915 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.285294056 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.480755091 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.536793947 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.563031912 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:45.739942074 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:45.926589966 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.004776001 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.006031990 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.032794952 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.246102095 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.261519909 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.288319111 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.341150045 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.419914007 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.702987909 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.788290024 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.788388014 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.860162973 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:46.860377073 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:46.941766024 CEST	4032	49706	141.98.6.167	192.168.2.7
May 30, 2023 16:39:47.340337038 CEST	49706	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.527719021 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.554156065 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:51.554258108 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.554719925 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.630856037 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:51.678080082 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.688906908 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.716331005 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:51.756160021 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:51.975049019 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:52.056948900 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:52.215018988 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:52.256135941 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:52.282891035 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:52.333311081 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:52.717055082 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:52.792745113 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:52.935537100 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:53.012813091 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:53.013801098 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:53.024095058 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:53.068646908 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:53.093811035 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:53.095804930 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:53.146809101 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:53.293467045 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:53.320461035 CEST	4032	49707	141.98.6.167	192.168.2.7
May 30, 2023 16:39:53.365569115 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:55.316848993 CEST	49707	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:59.762181997 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:59.788429976 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:39:59.788538933 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:59.788943052 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:59.858841896 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:39:59.953228951 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:39:59.953484058 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:39:59.980793953 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:39:59.985233068 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.061912060 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.213845968 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.214644909 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.240829945 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.242480993 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.268945932 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.269010067 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.295612097 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.295715094 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.377058029 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:00.413491011 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:00.488907099 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:01.057667971 CEST	4032	49708	141.98.6.167	192.168.2.7
May 30, 2023 16:40:01.178752899 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:01.612543106 CEST	49708	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.147144079 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.174355984 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:06.174541950 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.253393888 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.334518909 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:06.386646986 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:06.399732113 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.427308083 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:06.477161884 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.930306911 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:06.997517109 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:06.997607946 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:07.074907064 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.209743023 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.257396936 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:07.283940077 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.325171947 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:07.403083086 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.629211903 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:07.656477928 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.656586885 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:07.683367014 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:07.726270914 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:08.035340071 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:08.116849899 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:08.539211035 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:08.612150908 CEST	4032	49709	141.98.6.167	192.168.2.7
May 30, 2023 16:40:08.847594023 CEST	49709	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:13.825516939 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:13.853408098 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:13.853903055 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:13.854566097 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:13.931830883 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:13.977539062 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.041241884 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.041941881 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.068953991 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.077166080 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.155839920 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.295154095 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.299053907 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.325486898 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.367436886 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.393795967 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.396213055 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.426569939 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.428075075 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.454997063 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:14.508045912 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:14.977402925 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:15.055896997 CEST	4032	49710	141.98.6.167	192.168.2.7
May 30, 2023 16:40:15.952579021 CEST	49710	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.035705090 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.061885118 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.062067986 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.062721014 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.139866114 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.174684048 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.175177097 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.201831102 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.206721067 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.281966925 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.463563919 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.618036032 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.644174099 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.727260113 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.798743963 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:20.954333067 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:20.987354040 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:21.183695078 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:21.210958958 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:21.430613995 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:21.553606033 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:21.636850119 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:21.979159117 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:22.053066969 CEST	4032	49711	141.98.6.167	192.168.2.7
May 30, 2023 16:40:22.509673119 CEST	49711	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.580205917 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.609899044 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:26.610104084 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.611037970 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.689969063 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:26.738271952 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:26.738746881 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.765965939 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:26.772166014 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:26.859529018 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:27.028117895 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:27.029002905 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:27.055788994 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:27.056905031 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:27.087605953 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:27.087774992 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:27.114310026 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:27.165383101 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:27.702457905 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:27.779017925 CEST	4032	49712	141.98.6.167	192.168.2.7
May 30, 2023 16:40:28.962433100 CEST	49712	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.141828060 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.168344021 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.168509960 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.169029951 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.237770081 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.328291893 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.350961924 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.378362894 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.423955917 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.474697113 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.551834106 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.716345072 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.759727001 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.786163092 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.837815046 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.846010923 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:33.923907042 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:33.941633940 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:34.024821997 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:34.024972916 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:34.053204060 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:34.103475094 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:34.132024050 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:34.181632996 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:34.783339024 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:34.861424923 CEST	4032	49713	141.98.6.167	192.168.2.7
May 30, 2023 16:40:36.276609898 CEST	49713	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.673422098 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.700186968 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:40.701169014 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.703377008 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.779942036 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:40.797189951 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:40.797723055 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.825016975 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:40.835051060 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:40.916860104 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.052931070 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.053765059 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.080157042 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.244870901 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.271286964 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.271722078 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.298568010 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.298712969 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.325736046 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.325911045 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.399925947 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:41.417182922 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:41.492799044 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:42.455969095 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:42.532243967 CEST	4032	49714	141.98.6.167	192.168.2.7
May 30, 2023 16:40:43.509807110 CEST	49714	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.148677111 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.174961090 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.175185919 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.175904036 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.253920078 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.281718016 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.286607981 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.313819885 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.322350979 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.406939030 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.574161053 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.579021931 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.605345964 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.613043070 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.641413927 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.641622066 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.668229103 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.670852900 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:49.756886959 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:49.962153912 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:50.039876938 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:50.973824024 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:51.048911095 CEST	4032	49715	141.98.6.167	192.168.2.7
May 30, 2023 16:40:52.182379007 CEST	49715	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.452754974 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.479213953 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.479367971 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.479882956 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.550992966 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.579193115 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.579473972 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.607059956 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.614124060 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.694304943 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.851176977 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.852123976 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.878587008 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.879611015 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.906296968 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.906433105 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:58.933479071 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:40:58.933686972 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:40:59.009201050 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:41:00.324126959 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:00.400918007 CEST	4032	49716	141.98.6.167	192.168.2.7
May 30, 2023 16:41:01.336855888 CEST	49716	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:06.984523058 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.011143923 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.012485981 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.013161898 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.092159986 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.158962011 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.178200006 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.205174923 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.211752892 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.295819998 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.451587915 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.452413082 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.478559971 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.534189939 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.560425997 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.612250090 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.677875996 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.704752922 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.752890110 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.816808939 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.849694014 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:07.849780083 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:07.926958084 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:08.631561995 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:08.712857008 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:08.713033915 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:08.793860912 CEST	4032	49717	141.98.6.167	192.168.2.7
May 30, 2023 16:41:09.961158037 CEST	49717	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:14.938505888 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:14.964986086 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:14.965121984 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:14.965790033 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.043989897 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.044095993 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.096213102 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.096540928 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.125207901 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.175395012 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.175889969 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.255086899 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.402641058 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.403634071 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.430399895 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.472378016 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.498842955 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.515753984 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.543596983 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.543800116 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.572951078 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:15.573086023 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:15.648814917 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:17.110795975 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:17.187891006 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:18.114337921 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:18.195233107 CEST	4032	49718	141.98.6.167	192.168.2.7
May 30, 2023 16:41:19.350338936 CEST	49718	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.530863047 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.557302952 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.560108900 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.560720921 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.635879040 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.638545036 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.639017105 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.665760040 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.670804024 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.756846905 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.900454044 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:23.941802025 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.959625006 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:23.969631910 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:24.019953012 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:24.040127039 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:24.042860031 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:24.070389032 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:24.113738060 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:24.140124083 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:24.191837072 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:24.254864931 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:24.335859060 CEST	4032	49719	141.98.6.167	192.168.2.7
May 30, 2023 16:41:25.559513092 CEST	49719	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.101794958 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.128537893 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:30.128722906 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.317239046 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.393372059 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:30.446755886 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:30.489279032 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.833719015 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.863645077 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:30.911166906 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:30.938266039 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.017492056 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.170304060 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.223661900 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.226983070 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.249880075 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.301809072 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.303889990 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.469337940 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.544917107 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.545068979 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.571888924 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.614361048 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:31.640397072 CEST	4032	49720	141.98.6.167	192.168.2.7
May 30, 2023 16:41:31.692487955 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:32.639642954 CEST	49720	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.777762890 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.805136919 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:37.805361032 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.806104898 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.885600090 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:37.886140108 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.913043022 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:37.919446945 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:37.987868071 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:38.152962923 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:38.153965950 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:38.180308104 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:38.181669950 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:38.209059000 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:38.209197998 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:38.237884045 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:38.349271059 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:38.417177916 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:38.496895075 CEST	4032	49721	141.98.6.167	192.168.2.7
May 30, 2023 16:41:39.775084019 CEST	49721	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.594429970 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.620843887 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:44.620995998 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.621623039 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.702933073 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:44.705821991 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.716244936 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:44.771747112 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.784993887 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:44.909919024 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:44.937055111 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:44.990514040 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.080396891 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.147775888 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.324387074 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.381148100 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.394226074 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.407666922 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.459243059 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.472881079 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.559180975 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.586066961 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.631128073 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.707068920 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:45.734385967 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:45.787436962 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:46.251061916 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:46.328870058 CEST	4032	49722	141.98.6.167	192.168.2.7
May 30, 2023 16:41:46.949206114 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:46.959949017 CEST	49722	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.245321035 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.271423101 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:52.271606922 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.513380051 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.594975948 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:52.608175993 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:52.663058043 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.685244083 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:52.711970091 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:52.756828070 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:53.010355949 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:53.088737011 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:53.354624033 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:53.475610018 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:53.502470016 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:53.584985971 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:53.798201084 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:53.869223118 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:53.925133944 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:54.007852077 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:54.082994938 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:54.110374928 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:54.288197041 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:55.646259069 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:55.674233913 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:55.674302101 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:55.754937887 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:55.755027056 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:41:55.827966928 CEST	4032	49723	141.98.6.167	192.168.2.7
May 30, 2023 16:41:56.722702980 CEST	49723	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:03.719333887 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:03.745913982 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:03.746040106 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:03.804965019 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:03.883429050 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:03.887624979 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:03.929589987 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.032190084 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.059441090 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.101540089 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.544493914 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.621881962 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.621975899 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.703952074 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.762459040 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.804742098 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.832159996 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.882844925 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.887100935 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.909624100 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:04.960913897 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:04.966089010 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:05.246685982 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:05.273642063 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:05.273742914 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:05.301187038 CEST	4032	49724	141.98.6.167	192.168.2.7
May 30, 2023 16:42:05.351607084 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:05.713339090 CEST	49724	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:09.811232090 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:09.838489056 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:09.839745045 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:09.839745045 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:09.874095917 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:09.914989948 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:09.971168995 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:09.972640038 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.001285076 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.021038055 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.116626024 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.322279930 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.323100090 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.350689888 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.398942947 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.426292896 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.426565886 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.459069014 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.459177971 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.487648010 CEST	4032	49725	141.98.6.167	192.168.2.7
May 30, 2023 16:42:10.539596081 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:10.821407080 CEST	49725	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.380233049 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.406641960 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.406786919 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.533946037 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.616801977 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.637500048 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.637814999 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.665752888 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.669883013 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.745256901 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.903635025 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.904668093 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.931014061 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.931812048 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.961422920 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.961591959 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:15.990561008 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:15.990667105 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:16.059576035 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:16.962874889 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:17.039942026 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:17.282979965 CEST	4032	49726	141.98.6.167	192.168.2.7
May 30, 2023 16:42:17.337167025 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:17.962523937 CEST	49726	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.180527925 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.207156897 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.207353115 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.207974911 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.284897089 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.291291952 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.337481976 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.474910021 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.502599001 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.509654999 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.582945108 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.583012104 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.664938927 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.810204029 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.853076935 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.879620075 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:22.925510883 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:22.958003044 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.035924911 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:23.036032915 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.062782049 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:23.103102922 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.130013943 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:23.181236982 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.211867094 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.292027950 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:23.748745918 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:23.826108932 CEST	4032	49727	141.98.6.167	192.168.2.7
May 30, 2023 16:42:24.712573051 CEST	49727	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.223135948 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.250705957 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.250880003 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.251378059 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.331542969 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.384418011 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.386337042 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.413229942 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.417947054 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.499198914 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.668354988 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.713121891 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:29.740628958 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:29.791323900 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:30.151738882 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:30.230914116 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:30.312617064 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:30.390944958 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:30.542414904 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:30.569791079 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:30.619535923 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:31.131861925 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:31.158961058 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:31.213262081 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:31.313901901 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:31.394022942 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:31.394177914 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:31.473937035 CEST	4032	49728	141.98.6.167	192.168.2.7
May 30, 2023 16:42:32.912873983 CEST	49728	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:36.962202072 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:36.988606930 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:36.990602016 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:36.991136074 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.067873955 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.113233089 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.113542080 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.140445948 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.146837950 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.218981981 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.371054888 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.448165894 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.474581003 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.557476997 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.736155987 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.817862988 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:37.901981115 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:37.929013968 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:38.016236067 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:38.043603897 CEST	4032	49729	141.98.6.167	192.168.2.7
May 30, 2023 16:42:38.260792017 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:39.013062954 CEST	49729	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.073698997 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.100214005 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.100406885 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.100930929 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.187165022 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.292979956 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.293344975 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.321594000 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.327058077 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.400055885 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.433343887 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.515953064 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.541955948 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.543883085 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.570158005 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.620532036 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.646922112 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.647232056 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.675137997 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.675328016 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:43.704489946 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:43.745604038 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:44.464795113 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:44.541094065 CEST	4032	49730	141.98.6.167	192.168.2.7
May 30, 2023 16:42:45.480514050 CEST	49730	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.556991100 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.583260059 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:49.583363056 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.583786011 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.623506069 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:49.667913914 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.699016094 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:49.699377060 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.726979971 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:49.731885910 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:49.816395998 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:49.998112917 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:50.042953968 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.063368082 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.070425034 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:50.121042967 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.138861895 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:50.140352011 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.167105913 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:50.214814901 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.240977049 CEST	4032	49731	141.98.6.167	192.168.2.7
May 30, 2023 16:42:50.292994022 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:50.502825975 CEST	49731	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.561640024 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.588114023 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.589884043 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.591101885 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.670134068 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.690207005 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.690464973 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.717478991 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.727122068 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.798908949 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.950942993 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:54.952733994 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:54.979332924 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:55.027800083 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:55.054514885 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:55.056519985 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:55.083642960 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:55.086023092 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:55.113507032 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:55.168443918 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:56.061988115 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:42:56.138948917 CEST	4032	49732	141.98.6.167	192.168.2.7
May 30, 2023 16:42:57.059771061 CEST	49732	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.121573925 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.147888899 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.148107052 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.148509026 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.178073883 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.231393099 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.257642984 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.257852077 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.287427902 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.291259050 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.377991915 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.544732094 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.545433998 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.571626902 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.572406054 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.598936081 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.599087954 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.626682043 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:01.626777887 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:01.705465078 CEST	4032	49733	141.98.6.167	192.168.2.7
May 30, 2023 16:43:02.123677969 CEST	49733	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.193989992 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.220357895 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.220976114 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.221524954 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.297895908 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.307651043 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.307950020 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.334913969 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.339508057 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.415924072 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.575225115 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.576035023 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.602166891 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.607810974 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.635310888 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.636598110 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:06.663712025 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:06.716314077 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:07.123159885 CEST	49734	4032	192.168.2.7	141.98.6.167
May 30, 2023 16:43:07.198843002 CEST	4032	49734	141.98.6.167	192.168.2.7
May 30, 2023 16:43:08.123241901 CEST	49734	4032	192.168.2.7	141.98.6.167

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 16:39:22.362440109 CEST	50505	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:22.397989988 CEST	53	50505	8.8.8.8	192.168.2.7
May 30, 2023 16:39:32.605612040 CEST	61178	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:32.632709026 CEST	53	61178	8.8.8.8	192.168.2.7
May 30, 2023 16:39:44.354666948 CEST	63926	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:44.381418943 CEST	53	63926	8.8.8.8	192.168.2.7
May 30, 2023 16:39:51.504729986 CEST	53336	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:51.524482012 CEST	53	53336	8.8.8.8	192.168.2.7
May 30, 2023 16:39:59.729190111 CEST	51007	53	192.168.2.7	8.8.8.8
May 30, 2023 16:39:59.757992983 CEST	53	51007	8.8.8.8	192.168.2.7
May 30, 2023 16:40:05.948673964 CEST	50513	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:05.983731985 CEST	53	50513	8.8.8.8	192.168.2.7
May 30, 2023 16:40:13.588737011 CEST	60765	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:13.617819071 CEST	53	60765	8.8.8.8	192.168.2.7
May 30, 2023 16:40:20.004285097 CEST	58283	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:20.033102036 CEST	53	58283	8.8.8.8	192.168.2.7
May 30, 2023 16:40:26.547569990 CEST	50024	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:26.576658964 CEST	53	50024	8.8.8.8	192.168.2.7
May 30, 2023 16:40:33.111949921 CEST	49516	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:33.140515089 CEST	53	49516	8.8.8.8	192.168.2.7
May 30, 2023 16:40:40.637732029 CEST	62679	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:40.672013998 CEST	53	62679	8.8.8.8	192.168.2.7
May 30, 2023 16:40:48.904197931 CEST	61392	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:48.938972950 CEST	53	61392	8.8.8.8	192.168.2.7
May 30, 2023 16:40:58.416053057 CEST	52104	53	192.168.2.7	8.8.8.8
May 30, 2023 16:40:58.444981098 CEST	53	52104	8.8.8.8	192.168.2.7
May 30, 2023 16:41:06.952166080 CEST	65356	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:06.980006933 CEST	53	65356	8.8.8.8	192.168.2.7
May 30, 2023 16:41:14.907988071 CEST	59006	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:14.936583042 CEST	53	59006	8.8.8.8	192.168.2.7
May 30, 2023 16:41:23.494816065 CEST	51526	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:23.529709101 CEST	53	51526	8.8.8.8	192.168.2.7
May 30, 2023 16:41:29.957299948 CEST	51139	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:29.972347975 CEST	53	51139	8.8.8.8	192.168.2.7
May 30, 2023 16:41:37.741357088 CEST	58784	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:37.776343107 CEST	53	58784	8.8.8.8	192.168.2.7
May 30, 2023 16:41:44.572515011 CEST	57970	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:44.593158960 CEST	53	57970	8.8.8.8	192.168.2.7
May 30, 2023 16:41:52.146033049 CEST	64608	53	192.168.2.7	8.8.8.8
May 30, 2023 16:41:52.180840969 CEST	53	64608	8.8.8.8	192.168.2.7
May 30, 2023 16:42:03.454895973 CEST	58746	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:03.474879026 CEST	53	58746	8.8.8.8	192.168.2.7
May 30, 2023 16:42:09.789836884 CEST	62433	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:09.810009956 CEST	53	62433	8.8.8.8	192.168.2.7
May 30, 2023 16:42:15.086165905 CEST	61248	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:15.122503996 CEST	53	61248	8.8.8.8	192.168.2.7
May 30, 2023 16:42:22.159080982 CEST	52750	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:22.179284096 CEST	53	52750	8.8.8.8	192.168.2.7
May 30, 2023 16:42:29.186521053 CEST	64078	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:29.221518040 CEST	53	64078	8.8.8.8	192.168.2.7
May 30, 2023 16:42:36.934360027 CEST	50231	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:36.960967064 CEST	53	50231	8.8.8.8	192.168.2.7
May 30, 2023 16:42:43.045001984 CEST	58514	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:43.072479010 CEST	53	58514	8.8.8.8	192.168.2.7
May 30, 2023 16:42:49.527162075 CEST	51436	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:49.555417061 CEST	53	51436	8.8.8.8	192.168.2.7
May 30, 2023 16:42:54.530867100 CEST	59053	53	192.168.2.7	8.8.8.8
May 30, 2023 16:42:54.559801102 CEST	53	59053	8.8.8.8	192.168.2.7
May 30, 2023 16:43:01.091682911 CEST	51945	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:01.120343924 CEST	53	51945	8.8.8.8	192.168.2.7
May 30, 2023 16:43:06.156100035 CEST	63187	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:06.191737890 CEST	53	63187	8.8.8.8	192.168.2.7
May 30, 2023 16:43:12.186599016 CEST	64760	53	192.168.2.7	8.8.8.8
May 30, 2023 16:43:12.201931953 CEST	53	64760	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 30, 2023 16:39:22.362440109 CEST	192.168.2.7	8.8.8.8	0xf453	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:32.605612040 CEST	192.168.2.7	8.8.8.8	0x5e7e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:44.354666948 CEST	192.168.2.7	8.8.8.8	0xa8f2	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:51.504729986 CEST	192.168.2.7	8.8.8.8	0xae94	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:59.729190111 CEST	192.168.2.7	8.8.8.8	0x338a	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:05.948673964 CEST	192.168.2.7	8.8.8.8	0x8320	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:13.588737011 CEST	192.168.2.7	8.8.8.8	0x3578	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:20.004285097 CEST	192.168.2.7	8.8.8.8	0xd4de	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:26.547569990 CEST	192.168.2.7	8.8.8.8	0xe4f9	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:33.111949921 CEST	192.168.2.7	8.8.8.8	0xd2fe	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:40.637732029 CEST	192.168.2.7	8.8.8.8	0x8d6e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:48.904197931 CEST	192.168.2.7	8.8.8.8	0x24e7	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:58.416053057 CEST	192.168.2.7	8.8.8.8	0x8d7b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:06.952166080 CEST	192.168.2.7	8.8.8.8	0xff49	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:14.907988071 CEST	192.168.2.7	8.8.8.8	0x43f4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:23.494816065 CEST	192.168.2.7	8.8.8.8	0x71ba	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:29.957299948 CEST	192.168.2.7	8.8.8.8	0x135e	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:37.741357088 CEST	192.168.2.7	8.8.8.8	0x668b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:44.572515011 CEST	192.168.2.7	8.8.8.8	0xeba5	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:52.146033049 CEST	192.168.2.7	8.8.8.8	0xf4e8	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:03.454895973 CEST	192.168.2.7	8.8.8.8	0x7d3b	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:09.789836884 CEST	192.168.2.7	8.8.8.8	0xf20	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:15.086165905 CEST	192.168.2.7	8.8.8.8	0x4758	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:22.159080982 CEST	192.168.2.7	8.8.8.8	0xe248	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:29.186521053 CEST	192.168.2.7	8.8.8.8	0x1496	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:36.934360027 CEST	192.168.2.7	8.8.8.8	0xf282	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:43.045001984 CEST	192.168.2.7	8.8.8.8	0xa5c9	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:49.527162075 CEST	192.168.2.7	8.8.8.8	0x7be4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:54.530867100 CEST	192.168.2.7	8.8.8.8	0x4051	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:01.091682911 CEST	192.168.2.7	8.8.8.8	0xf734	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:06.156100035 CEST	192.168.2.7	8.8.8.8	0xdbc4	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:12.186599016 CEST	192.168.2.7	8.8.8.8	0x622a	Standard query (0)	jasonbourneblack.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 30, 2023 16:39:22.397989988 CEST	8.8.8.8	192.168.2.7	0xf453	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:32.632709026 CEST	8.8.8.8	192.168.2.7	0x5e7e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:44.381418943 CEST	8.8.8.8	192.168.2.7	0xa8f2	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:51.524482012 CEST	8.8.8.8	192.168.2.7	0xae94	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:39:59.757992983 CEST	8.8.8.8	192.168.2.7	0x338a	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:05.983731985 CEST	8.8.8.8	192.168.2.7	0x8320	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:13.617819071 CEST	8.8.8.8	192.168.2.7	0x3578	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:20.033102036 CEST	8.8.8.8	192.168.2.7	0xd4de	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:26.576658964 CEST	8.8.8.8	192.168.2.7	0xe4f9	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:33.140515089 CEST	8.8.8.8	192.168.2.7	0xd2fe	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:40.672013998 CEST	8.8.8.8	192.168.2.7	0x8d6e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:48.938972950 CEST	8.8.8.8	192.168.2.7	0x24e7	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:40:58.444981098 CEST	8.8.8.8	192.168.2.7	0x8d7b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:06.980006933 CEST	8.8.8.8	192.168.2.7	0xff49	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:14.936583042 CEST	8.8.8.8	192.168.2.7	0x43f4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:23.529709101 CEST	8.8.8.8	192.168.2.7	0x71ba	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:29.972347975 CEST	8.8.8.8	192.168.2.7	0x135e	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:37.776343107 CEST	8.8.8.8	192.168.2.7	0x668b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:44.593158960 CEST	8.8.8.8	192.168.2.7	0xeba5	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:41:52.180840969 CEST	8.8.8.8	192.168.2.7	0xf4e8	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:03.474879026 CEST	8.8.8.8	192.168.2.7	0x7d3b	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:09.810009956 CEST	8.8.8.8	192.168.2.7	0xf20	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:15.122503996 CEST	8.8.8.8	192.168.2.7	0x4758	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:22.179284096 CEST	8.8.8.8	192.168.2.7	0xe248	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:29.221518040 CEST	8.8.8.8	192.168.2.7	0x1496	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:36.960967064 CEST	8.8.8.8	192.168.2.7	0xf282	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:43.072479010 CEST	8.8.8.8	192.168.2.7	0xa5c9	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:49.555417061 CEST	8.8.8.8	192.168.2.7	0x7be4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:42:54.559801102 CEST	8.8.8.8	192.168.2.7	0x4051	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:01.120343924 CEST	8.8.8.8	192.168.2.7	0xf734	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:06.191737890 CEST	8.8.8.8	192.168.2.7	0xdbc4	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false
May 30, 2023 16:43:12.201931953 CEST	8.8.8.8	192.168.2.7	0x622a	No error (0)	jasonbourneblack.ddns.net	141.98.6.167	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:39:04
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xf50000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.368982132.00000000044DB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	16:39:13
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0x230000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	16:39:13
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xd80000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.388393335.0000000006B6F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	16:39:15
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA70D.tmp
Imagebase:	0x360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	16:39:15
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp
Imagebase:	0x360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	16:39:16
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe 0
Imagebase:	0x820000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	16:39:17
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x100000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	16:39:26
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xce0000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.432421713.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.421527210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.430617847.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	16:39:26
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\4An07Q7I8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4An07Q7I8G.exe
Imagebase:	0xb60000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.433647519.0000000004068000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.431553537.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	11
Start time:	16:39:27
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x160000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	12
Start time:	16:39:35
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x390000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	13
Start time:	16:39:35
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xcd0000
File size:	782336 bytes
MD5 hash:	B454C259C82C354CF5375EC490238507
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.5%
Total number of Nodes:	126
Total number of Limit Nodes:	10

Executed Functions

Function 07AB8E58 Relevance: 1.9, Strings: 1, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 07AB965C

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 1ee8c07e3d7a15852918f5f74fd3fa3ee85623c9097634701e92efcfe0ca0070
Instruction ID: 8ee256f8a3d16f88abfcfe7d5c70911ea37b03a3d76180f5ae4bbc5cb02708c5
Opcode Fuzzy Hash: 1ee8c07e3d7a15852918f5f74fd3fa3ee85623c9097634701e92efcfe0ca0070
Instruction Fuzzy Hash: 4462F3B4A00228CFDB64DF64C854BEDBBB6FB89305F1480E9D509AB295DB346E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0315B759 Relevance: 6.1, APIs: 4, Instructions: 121
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0315B7C8
GetCurrentThread.KERNEL32 ref: 0315B805
GetCurrentProcess.KERNEL32 ref: 0315B842
GetCurrentThreadId.KERNEL32 ref: 0315B89B

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ac86bb4f670e8a8c700f00d7baf597153d748bce01104474366d247db6b04140
Instruction ID: cd2bd8ef7e4f94cb57b2636d6a0772c95e8b9a6c969abf5778f1276817a3171f
Opcode Fuzzy Hash: ac86bb4f670e8a8c700f00d7baf597153d748bce01104474366d247db6b04140
Instruction Fuzzy Hash: BE5133B4900649CFDB50CFAAD988B9EBFF0BF48314F248569E819A7291C7746884CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0315B768 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0315B7C8
GetCurrentThread.KERNEL32 ref: 0315B805
GetCurrentProcess.KERNEL32 ref: 0315B842
GetCurrentThreadId.KERNEL32 ref: 0315B89B

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 054c7ceecbbc8a0bf484040fed4c99b33b9457b182d5354866cb86026cdae4cf
Instruction ID: f29867e2dd9a1d99a0e16905a593dc231bee5439a12b47b7600cc3e4da9ba57b
Opcode Fuzzy Hash: 054c7ceecbbc8a0bf484040fed4c99b33b9457b182d5354866cb86026cdae4cf
Instruction Fuzzy Hash: 9D5132B0900609CFDB50CFAAD948B9EBFF4BF88310F248559E819A7290D7346884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1909 Relevance: 1.8, APIs: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359944d4cec3779ac797bb0fcc74ff0441378c47a2cc50be0f13c1a6de487ffe
Instruction ID: 5f18f2f3dd305a7818e8b7e6a36b53765db22146c693388615902669ace51645
Opcode Fuzzy Hash: 359944d4cec3779ac797bb0fcc74ff0441378c47a2cc50be0f13c1a6de487ffe
Instruction Fuzzy Hash: 45A1ACB1D0025ACFDB20CFA8C8917EDBBB6BF45310F1481AAD818A7291D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1948 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AB1B7E

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f1cbe15756e06e792118d6ccbd1a61049a7a863548f41520cd7d4207460c8856
Instruction ID: c79096da74870d3d0f93a71af349d9416256271634eecb461dd87f1dd8cbea6e
Opcode Fuzzy Hash: f1cbe15756e06e792118d6ccbd1a61049a7a863548f41520cd7d4207460c8856
Instruction Fuzzy Hash: C3916BB1D0025ECFDB24CFA9C8917EEBBB6BF48310F1485A9D819A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03159470 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031596B6

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 484f26ef9e4abf71662795aaf516a3f7d4fc4c1235f67ffc24dd1ce3b152cab2
Instruction ID: 260f3195ac6e352317424abd430f143c766ec881fd589bc65f069e9fbf1f150c
Opcode Fuzzy Hash: 484f26ef9e4abf71662795aaf516a3f7d4fc4c1235f67ffc24dd1ce3b152cab2
Instruction Fuzzy Hash: 767116B0A00B05CFDB64DF2AD15475ABBF5BF88210F04892EE856D7A50DB34E855CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0315FDCC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0315FEEA

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b690aa5a24664df1e3c13b0d0ef6d2ca2f7aa1b305c668e09ab8481f684f7abe
Instruction ID: 2998417b25a737bfb45426506bf0829a9c36c83719f1dbd4a6ccfe1078bc6afa
Opcode Fuzzy Hash: b690aa5a24664df1e3c13b0d0ef6d2ca2f7aa1b305c668e09ab8481f684f7abe
Instruction Fuzzy Hash: 6051B0B1D00249DFDB14CF9AD984ADEFBB5FF48310F25812AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0315FDD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0315FEEA

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7b6ff964ace164dc6ea725a688f6b418bdd4d51ef648595c125277cbdace35b5
Instruction ID: 7efa4d1ef04713bec2c6c12974b348d26c2f60478884edeaf77fc5bbbcebf84d
Opcode Fuzzy Hash: 7b6ff964ace164dc6ea725a688f6b418bdd4d51ef648595c125277cbdace35b5
Instruction Fuzzy Hash: 6F41AEB1D00209DFDB14CF9AD984ADEBBB5BF48310F24812AE819AB250D7749986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03155344 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03155401

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2e6e7c38ea0d01a48ad53de3b36189dcae552e434e3a3b48dfc906e4996a1d66
Instruction ID: db826fa02cb8634daae6277c51db84d261e3bd210c41a6a878cb87d388609209
Opcode Fuzzy Hash: 2e6e7c38ea0d01a48ad53de3b36189dcae552e434e3a3b48dfc906e4996a1d66
Instruction Fuzzy Hash: DB413471C00619CFDB24DFAAC8847CDBBB2FF49305F248069D819AB251E7B4594ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 03153DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03155401

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9680dc5b4f24a9693bbe1ea3d3a034ed1df15f8f29667b8fa848f6e1e8616729
Instruction ID: fee7766521e5b2388d2319c078b87b992939dcbf2aad5f326cac808d03306f2e
Opcode Fuzzy Hash: 9680dc5b4f24a9693bbe1ea3d3a034ed1df15f8f29667b8fa848f6e1e8616729
Instruction Fuzzy Hash: 36410270C00619CFDB24DFAAC8847CEBBB2BF49305F248059D819BB251E7756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031598D0 Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03159731,00000800,00000000,00000000), ref: 03159942

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 70c782f386a07f4dc909a79c8e82da6379f30895e9497300d99337c02238a8eb
Instruction ID: 26369295ee814b44f63ac93e6f4ff37bc91140335077a23d76b78b2d8793f16e
Opcode Fuzzy Hash: 70c782f386a07f4dc909a79c8e82da6379f30895e9497300d99337c02238a8eb
Instruction Fuzzy Hash: 5341F1B5D00208DFDB14CF99D588BEEBBF4BB48314F14841AE829BB250C7799945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 07AB172F Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB17D0

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: be673ab2a5482a6e3d3cf434bb4c79d9dfb184d4bb7d0f1072a85257d995d1f4
Instruction ID: 3b62e5ba4d08a5041a643496baa3ba4817b5afce9f4b5cb1aeb788d6c441e9ac
Opcode Fuzzy Hash: be673ab2a5482a6e3d3cf434bb4c79d9dfb184d4bb7d0f1072a85257d995d1f4
Instruction Fuzzy Hash: 0D2146B1C003499FCB10DFAAD880AEEBFF4BF48310F50842AE558A7250C7789A40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1628 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB16C0

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 32bc5ce1fe0e12ca81f61c163691298394ddd6d398b54d6f66dd542b8f4fcb99
Instruction ID: 347a5f1c4b0918777ef5bd20be3fd1e58bdf0321e4a532eb6fd2665a315db0b8
Opcode Fuzzy Hash: 32bc5ce1fe0e12ca81f61c163691298394ddd6d398b54d6f66dd542b8f4fcb99
Instruction Fuzzy Hash: 2D2135B1D002199FCB10CFAAC9907EEBBF5FF48310F54842AE929A7241C7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1630 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB16C0

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1efd5eee269a6ff89d4f21eeafe65536d0c02c379011fd1768e355a01b1be738
Instruction ID: b98aeb365269332c2fea5ff73134d3c483de9bd2cc227a9082bad071389f1020
Opcode Fuzzy Hash: 1efd5eee269a6ff89d4f21eeafe65536d0c02c379011fd1768e355a01b1be738
Instruction Fuzzy Hash: 512127B1D003599FCB10CFAAC890BDEBBF5FF48310F54842AE929A7241C7789954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0F10 Relevance: 1.6, APIs: 1, Instructions: 66
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07AB0F96

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8e6f94485e2a525e6de5f8b1e98797bf2c3a28582c8dd15ca0ae84a01677e754
Instruction ID: f5b58160d9b991f6891ee4c40899f1563c1b40fec14987f29bf5f18399473354
Opcode Fuzzy Hash: 8e6f94485e2a525e6de5f8b1e98797bf2c3a28582c8dd15ca0ae84a01677e754
Instruction Fuzzy Hash: DF2159B2D002098FCB10DFAAC4847EFBBF4EF48310F54842AD459A7241C7789945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0F18 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07AB0F96

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5f1b0bcca02a2dd6c8e4646e98c62cc32b2801207d5de73663be69d18b296a16
Instruction ID: edd0e5e741ebe3f02fdd13071e301ae6c28f4872d312e33c2153a7c986262fdd
Opcode Fuzzy Hash: 5f1b0bcca02a2dd6c8e4646e98c62cc32b2801207d5de73663be69d18b296a16
Instruction Fuzzy Hash: 8A2118B1D002099FCB10DFAAC4847EFBBF4EF98354F54842AD529A7241CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB17D0

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3c642dc8dd6fedcd9bd6bc2e4247db46bad8ab487c8719712f6ddf1204bd4d52
Instruction ID: 8a8c7a27c39c710a1d6c2f41f68d9cd439ce9f0af839c6a5d3c82ce395acb9be
Opcode Fuzzy Hash: 3c642dc8dd6fedcd9bd6bc2e4247db46bad8ab487c8719712f6ddf1204bd4d52
Instruction Fuzzy Hash: 092128B1D002599FCB10DFAAC880AEEBBF5FF48310F50842AE529A7240C7789950CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0315B990 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0315BA17

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d435a7241200a9e8560b538a0f906bf7cdc73cd6cf1e4da8d0a5f8ed4b166db
Instruction ID: 9c1e6a900714d122b005ba5cedc1b0276a2bddf7ce1fe1d2a0eb0cbf401d2928
Opcode Fuzzy Hash: 0d435a7241200a9e8560b538a0f906bf7cdc73cd6cf1e4da8d0a5f8ed4b166db
Instruction Fuzzy Hash: 0321B0B5D002599FDB10CFAAD984ADEFFF8EB58320F14841AE914A3210D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315B988 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0315BA17

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f56f42ac9e966026862344689f814d2d066bdb20918907114e71f98af425603
Instruction ID: 73aa3ea17e26933decd92f7bbcfe9588072625f54e499a2097781aac4c84fadb
Opcode Fuzzy Hash: 3f56f42ac9e966026862344689f814d2d066bdb20918907114e71f98af425603
Instruction Fuzzy Hash: 4B21E0B5D002499FDB10CFAAD984ADEBFF8EB48320F14845AE954B3250C378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031589D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03159731,00000800,00000000,00000000), ref: 03159942

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 57a489f413e1a3e68328cc870564cc4ee17543b8a04ac53d28dd8ce025a00601
Instruction ID: 8469025de8d5edf0e8f1c72041fc4d2813ae74cf2917a63b248e0eac5ce9f754
Opcode Fuzzy Hash: 57a489f413e1a3e68328cc870564cc4ee17543b8a04ac53d28dd8ce025a00601
Instruction Fuzzy Hash: 3C1106B6D00249CFCB10CF9AD444ADEFBF4EB58310F14842AE925A7200C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1539 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB15AE

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7191051a1aee35284055b8db59b286751aa97ad9800c3034f2d2ecf370bce319
Instruction ID: 227f30c47b7b7728844c22e253ebc9a7a85516870c2949ff9a074d9158f09179
Opcode Fuzzy Hash: 7191051a1aee35284055b8db59b286751aa97ad9800c3034f2d2ecf370bce319
Instruction Fuzzy Hash: FA115972D002499FCB10DFAAD884ADFBFF5EF88314F14881AE529A7250C7799950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB15AE

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5bd006dd8d07dbb274e6bd1b35b17d068cb9df9600d3e9aed3ae7c9fc793b3a0
Instruction ID: 8ba347d4363282ad83565cf2861cddfb6cc6207632edfa45477cd07b7ef96bf7
Opcode Fuzzy Hash: 5bd006dd8d07dbb274e6bd1b35b17d068cb9df9600d3e9aed3ae7c9fc793b3a0
Instruction Fuzzy Hash: 96112671D002499BCB10DFAAD844ADFBFF9EF88320F148819E525A7250C779A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0E30 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AB0E9A

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 110295b585d080e9dbb0f8fdb603b20d227226bd5e30dc1b1a02721be4944af3
Instruction ID: 39515ef4fb08fcafbb30a151f9c69e8ff6cb0120dadf88b48b52ebac100b423d
Opcode Fuzzy Hash: 110295b585d080e9dbb0f8fdb603b20d227226bd5e30dc1b1a02721be4944af3
Instruction Fuzzy Hash: 481119B1D002498ACB20DFAAD5447EFBFF5AF98314F14881AD529A7240C779A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0E38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AB0E9A

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6fc6a936e6813a454dbd866b94bcd4f82e61db7f860bbcbcef4784481dbff7b4
Instruction ID: 24dcbd6afbd2e206c605dec8642ca9664b640b51b77a5f0e411166de07bdea8a
Opcode Fuzzy Hash: 6fc6a936e6813a454dbd866b94bcd4f82e61db7f860bbcbcef4784481dbff7b4
Instruction Fuzzy Hash: F411F8B1D002498BCB10DFAAD4447DFFBF9AF98324F148819D529A7240C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03159650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031596B6

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 764fb3be258ec2783bce5539c7ab2878d1b2c72559637d13b983468a1a4f259a
Instruction ID: 693640a6a3b8153ec38ebbd2180ec9c24d59c84716fe16b42a1393b12b8d73c8
Opcode Fuzzy Hash: 764fb3be258ec2783bce5539c7ab2878d1b2c72559637d13b983468a1a4f259a
Instruction Fuzzy Hash: B21110B6C01249CFCB10CF9AD544ADEFBF8EB88324F14851AD829B7210C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315997B Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03159731,00000800,00000000,00000000), ref: 03159942

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c34dec70984c0e092fcc183703eb1ccbc6ced73c7e3f075fadecbf31567bd9a5
Instruction ID: 4de57de5720c65d17b0a325140bcdb8dca511e9990e0e666d0af13c088079d7e
Opcode Fuzzy Hash: c34dec70984c0e092fcc183703eb1ccbc6ced73c7e3f075fadecbf31567bd9a5
Instruction Fuzzy Hash: DE0161B6900205CFDB24CB9AD8047DAFBF4AF98320F08845EE959A7600C3799544CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07ABA5E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07ABA645

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aba554fccc5511430c7c4c3d3a2d580139f44db401296aaa520b0d526347ba7a
Instruction ID: c92575e70c83ada7767feeff48496c8dafc0ab7c6f6ee11d6184a26f47011ee8
Opcode Fuzzy Hash: aba554fccc5511430c7c4c3d3a2d580139f44db401296aaa520b0d526347ba7a
Instruction Fuzzy Hash: 151125B59002499FDB10CF9AD544BDEBFF8EB48320F10840AD464A3600C375A540CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07ABA5E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07ABA645

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 796a5272ba47f153e3c943d14a9bd6c6aa3ddadc7ec41252c797436e5563dd64
Instruction ID: 50c16701a47890dc13e50dd9404dc5ce141a6b419d61dcbbedbf8d6bf9495208
Opcode Fuzzy Hash: 796a5272ba47f153e3c943d14a9bd6c6aa3ddadc7ec41252c797436e5563dd64
Instruction Fuzzy Hash: 9811D3B58002499FDB20CF9AD984BDEBFF8EB58324F10841AD525A7600D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367072478.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e14994be32ee845d47a8ae7f9838331fcb862fde229af41e4eeeb420d4cfa4
Instruction ID: 6d0cc1de8c2f70f6d409a0c9ed319983de8b978a5b37a42fb9548695379cab03
Opcode Fuzzy Hash: e9e14994be32ee845d47a8ae7f9838331fcb862fde229af41e4eeeb420d4cfa4
Instruction Fuzzy Hash: 7E21E072500240DFDB21DF58E9C0B26FF66FB98728F2485BDE9050A246C336D856CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 017DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367107901.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d17acc17a41a0fc2500d05168c2e1656a14fb19d2af04f186bfea542de96db
Instruction ID: 244a66849366dba41fb27e8d2e4aab96a1c64543d161340d49d12c16cca568f6
Opcode Fuzzy Hash: 89d17acc17a41a0fc2500d05168c2e1656a14fb19d2af04f186bfea542de96db
Instruction Fuzzy Hash: 91212271604248DFDB21DF68D9C0B16FF75FB88354F24C5A9D80A0B286C33AD806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 017DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367107901.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7607420e7779d7d4840591d3332ffc6adb91cb6dd7213780cae3ca8de894158d
Instruction ID: ac2926bde4da21dca093c432d7c3a19a67ca13a7f1490af156e186fd904f978c
Opcode Fuzzy Hash: 7607420e7779d7d4840591d3332ffc6adb91cb6dd7213780cae3ca8de894158d
Instruction Fuzzy Hash: A52192755083849FCB13CF24D994B11BF71EB86214F28C5EAD8498F297C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367072478.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
Instruction ID: a653832b5b410b8c7ada3fe1447d3e0655aea0d86f17cbafc2c797169c909ab6
Opcode Fuzzy Hash: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
Instruction Fuzzy Hash: B611CD76404280CFCB12CF54E9C0B16BF62FB94724F24C6ADD8480B616C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367072478.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09446379274d20301792d98935cedf0d2f200b30b9e49a541268a58c5ecb5fc0
Instruction ID: d190c3513748d4794a7257efa1ae815fe536b3b1528b3f8cbffe4efd450eed7c
Opcode Fuzzy Hash: 09446379274d20301792d98935cedf0d2f200b30b9e49a541268a58c5ecb5fc0
Instruction Fuzzy Hash: E901A2714043C5AAE7215AAACD84B66FFD8EF50B24F18857EED096B242D3789844C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367072478.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d165a029fdce54b3939ba683d22c043e55c986d53fd1066bf5975ea7bc472c91
Instruction ID: f6a1f3fd6707b5bea963fd9c2f4dea0206a76e3b1510e4807a538de325f7bcd2
Opcode Fuzzy Hash: d165a029fdce54b3939ba683d22c043e55c986d53fd1066bf5975ea7bc472c91
Instruction Fuzzy Hash: 3CF06272404284AFE7218A5ACD84B62FFDCEF91734F18C56EED085B286C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07AB2430 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

l, xrefs: 07AB254D

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID: l
API String ID: 0-2517025534
Opcode ID: 941944605ec349e303424ad52e491198d0a87ec142b281a6ef0895bc792b0f05
Instruction ID: ccfdfa02bb6377c67e1c027dc98f65e9439b7e54e767f2ff10551f126bd92d11
Opcode Fuzzy Hash: 941944605ec349e303424ad52e491198d0a87ec142b281a6ef0895bc792b0f05
Instruction Fuzzy Hash: F5415DB1E05A588FEB68CF6B8D407DAFAF7BFC9201F14C1BAC44CAA255DB3405818E01

Uniqueness

Uniqueness Score: -1.00%

Function 07AB04F0 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50378543d093ced53330203b15a747d2177e1b55ee1c591401a61333ff40a1c9
Instruction ID: 1b999aa37ecb2212b491cafa559d0cfc7873ec4c5e88c6d713ee23f676f37e6a
Opcode Fuzzy Hash: 50378543d093ced53330203b15a747d2177e1b55ee1c591401a61333ff40a1c9
Instruction Fuzzy Hash: 5FE10BB4E002598FDB14DFA9C580AAEFBB6FF89300F248159D815A7356DB34AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0040 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec6d946b54ddf8a94c4f17831f04f71a24d20ee028ecedb4e3ee0fb44e1138f
Instruction ID: 947bc9be82417919008283147c75fa3c409a192ce9f9a86e3c20feabe98270c6
Opcode Fuzzy Hash: 3ec6d946b54ddf8a94c4f17831f04f71a24d20ee028ecedb4e3ee0fb44e1138f
Instruction Fuzzy Hash: 73E11BB4E002598FDB14DFA9C580AAEFBB6FF89304F248169D914A7356D734AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1020 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652f56f36b8c3fa3ec03b7f1f12628e9d2f4b9d3be2f638124d60cb104a3529e
Instruction ID: 5ec601bb14edd8c3806a8f40478a079ddb96f79bece76a58c27b83ef68c91d8f
Opcode Fuzzy Hash: 652f56f36b8c3fa3ec03b7f1f12628e9d2f4b9d3be2f638124d60cb104a3529e
Instruction Fuzzy Hash: 28E1F5B4E00259CFDB14DFA9C5909AEFBB6FB89304F248169D814A7356DB34AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0315E650 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed93621327d4c9649ae1c18f30a73d95f6da948b2f36ce551732e888168be84
Instruction ID: 9cafd3a8cd96d60895c714f90b6804fe2af68acaf163ab735603db420d2117be
Opcode Fuzzy Hash: 2ed93621327d4c9649ae1c18f30a73d95f6da948b2f36ce551732e888168be84
Instruction Fuzzy Hash: DE12DAF1411746AAD330EF65FC9E199BB60B766328FB2E208D1612F6D8D7B81146CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0315C284 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33f1f54cfc7b2d7c1b443a2a6b2b127b2fbed8de53a8080befefd7c4cbf54a9
Instruction ID: 8d08405badd646c4f38a1104c946a14fda4f8dad03cc8f8375f4c5f5ad04473f
Opcode Fuzzy Hash: c33f1f54cfc7b2d7c1b443a2a6b2b127b2fbed8de53a8080befefd7c4cbf54a9
Instruction Fuzzy Hash: C2A16036E00319CFCF15DFA5D8845DEBBB2FF89300B19856AE815AB260DB31A955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0315E640 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.367276526.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901ce52f6cac12c843c826fa9d4f8afe1550428630ed908e963073ca044a25d0
Instruction ID: 49ba99251000b7f2f3b13596adcb5cc024a9b032293d0f701d8c844d1bdd0ce1
Opcode Fuzzy Hash: 901ce52f6cac12c843c826fa9d4f8afe1550428630ed908e963073ca044a25d0
Instruction Fuzzy Hash: 70C16CB1811746ABD720EF65FC8E199BB70BBA6324F72E308D1616B6D8D7B41046CF84

Uniqueness

Uniqueness Score: -1.00%

Function 07AB8E4D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386620110.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc7a8f904038d3b8397ad9dbc12b7301224e5fea802c16c68abf656d0c576c4
Instruction ID: e634b36691fc635fa401002f6c85028a5f9b447d3450bc5a96dbb5060be7d7f4
Opcode Fuzzy Hash: dbc7a8f904038d3b8397ad9dbc12b7301224e5fea802c16c68abf656d0c576c4
Instruction Fuzzy Hash: 2F319BB1E056288BEB28DF67D8143DAFAF7AFC9310F04C0AAC54C66255DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 4An07Q7I8G.exePID: 1252, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	299
Total number of Limit Nodes:	9

Executed Functions

Function 012A9470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pN, xrefs: 012A95EE
pN, xrefs: 012A9613

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: HandleModule
String ID: pN$pN
API String ID: 4139908857-3560575591
Opcode ID: 6ff26714e6a908d4e387faa940c0cef750b726b9a81a8c6f7626eecfef3dfdeb
Instruction ID: 63165e260590767dd77276b26f4cb907ba931a59cf86f3339100f4b1b904dd36
Opcode Fuzzy Hash: 6ff26714e6a908d4e387faa940c0cef750b726b9a81a8c6f7626eecfef3dfdeb
Instruction Fuzzy Hash: B87146B0A10B068FDB64CF2AE15176ABBF1BF88314F408A29D586D7B40DB34E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F8193D Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F81B7E

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b9be4b67b18cdf58b2697e0c903da37a61c24ac964153ac373c0899548dbed11
Instruction ID: 8040d534e394b47d7915d741150281cc645be110468392d697e5400dd2a02c64
Opcode Fuzzy Hash: b9be4b67b18cdf58b2697e0c903da37a61c24ac964153ac373c0899548dbed11
Instruction Fuzzy Hash: EBA16B71D0021ADFDB60DFA9C841BEDBBB2BF45310F1486A9E849A7240DB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F81948 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F81B7E

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 61bcf497606bf41c94b364062bd19dd34d0a013b72f4757617eb527997f98f12
Instruction ID: dcb1415f4781a03a001699a2fd3794ec28dcfa0a7276a96cf003803380ae2390
Opcode Fuzzy Hash: 61bcf497606bf41c94b364062bd19dd34d0a013b72f4757617eb527997f98f12
Instruction Fuzzy Hash: 52915B71D0021ACFDB64DFA9C841BEDBBB2BF48310F1486A9D819B7240DB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012AFDCC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012AFEEA

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e69037ad98f2ad1e93e0eb47762eba9c4d3a9751b4e7aef363374f69b09b0086
Instruction ID: 63e87de739c07e363bc0f3660448510e28fb7df06f36491e11293655cf6128f1
Opcode Fuzzy Hash: e69037ad98f2ad1e93e0eb47762eba9c4d3a9751b4e7aef363374f69b09b0086
Instruction Fuzzy Hash: 7251D0B1D103099FDB14CF9AD984ADEFFB5BF48310F64812AE519AB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012AE16C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012AFEEA

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 63ebcc916b41303f04113f7e26eea505e75d01ef8a896c1fff6bc93922e54af2
Instruction ID: 74bf33511f0b602d58be644f738d5d863a62ba4be78115fefab09f1d58d8cb7b
Opcode Fuzzy Hash: 63ebcc916b41303f04113f7e26eea505e75d01ef8a896c1fff6bc93922e54af2
Instruction Fuzzy Hash: D051DEB1D103099FDB14CF9AD980ADEFFB5BF48310F64822AE919AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A5348 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A5401

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 42c95dceaa011e52c45aad75d466d1183bd821f2d357f58bf1d3ba65dbb2faf6
Instruction ID: fe990905a075b7cbf5e43a1eeafeb108f84b2675cf5d8880794021a7df5a6ec9
Opcode Fuzzy Hash: 42c95dceaa011e52c45aad75d466d1183bd821f2d357f58bf1d3ba65dbb2faf6
Instruction Fuzzy Hash: 5641F171D00619CFDB24CFAAC884BCEBBB5FF48304F24806AD408AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A5401

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc137d7f2a35640ce409de0370815273a217983e155fc00c9d97d8cabd5dcd78
Instruction ID: d91f81a81eb48eed320b87f025fa5e4a10595ca45f833dd5400c6a21d1a5eeba
Opcode Fuzzy Hash: bc137d7f2a35640ce409de0370815273a217983e155fc00c9d97d8cabd5dcd78
Instruction Fuzzy Hash: B441EE71D00619CFDB24CFAAC884BCEBBB5BF48304F648069D408AB251DBB56949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F81628 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F816C0

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3502a5be3af69627ab5f840d7c2a978928db9b3e9b024129feafa1915d257235
Instruction ID: 0c7335753e70bdad2b39fe3286e4e53fa628e1b40628768ee97d73c1991dd0e0
Opcode Fuzzy Hash: 3502a5be3af69627ab5f840d7c2a978928db9b3e9b024129feafa1915d257235
Instruction Fuzzy Hash: A2214671D0030A9FCB10DFAAC880BEEBBF4FF48314F14842AE959A7241C7789940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F81630 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F816C0

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 484f6feba091060a7cc6d1a9509841b3271831a44df032afdaeebbef7039aab5
Instruction ID: b46c0b405a3e77e88d5e03937214667233bcb921c4e0e33ee70ebf4daf1047c8
Opcode Fuzzy Hash: 484f6feba091060a7cc6d1a9509841b3271831a44df032afdaeebbef7039aab5
Instruction Fuzzy Hash: 19212571D0030A9FCB10DFAAD880BEEBBF5FF48310F54852AE959A7241C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F81748 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F817D0

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6b99f30206cd5db4a21b5eac6394891c52a8c04725e297e4633f850e3cf87208
Instruction ID: ffce769a7b7b7653e6bb4a8bce7a28faa159729d76152ae61250694a4b80d25f
Opcode Fuzzy Hash: 6b99f30206cd5db4a21b5eac6394891c52a8c04725e297e4633f850e3cf87208
Instruction Fuzzy Hash: E2211471D0020A9FCB10DFAAD884AEEBBF5FF48320F50852EE559A7250C7789941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012AB988 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AB956,?,?,?,?,?), ref: 012ABA17

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 110980c5a082756b0a3fa33d70a0bbb70d06ff931f0fab14ec3fcda03b6764bb
Instruction ID: 0cdeff26d15c120069578f6ad873135892ba67abf92eb55f3a969c1794b77ac4
Opcode Fuzzy Hash: 110980c5a082756b0a3fa33d70a0bbb70d06ff931f0fab14ec3fcda03b6764bb
Instruction Fuzzy Hash: E021D2B5D002099FDB10CF9AD984ADEBBF8EB48320F14841AE954A3311D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F80F10 Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06F80F96

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a5c4e624fdd4ee688f20836c50e8c225208e572ba472b5c3ef5e62ae285a6285
Instruction ID: 4d4999eaa11174dbd3ca0d4e7c84db8a9dee9889419df8ee0145d1abaa9dc247
Opcode Fuzzy Hash: a5c4e624fdd4ee688f20836c50e8c225208e572ba472b5c3ef5e62ae285a6285
Instruction Fuzzy Hash: 7B212571D002098FCB50DFAAC8847AEBBF4EF58324F54C42EE859A7241CB789944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012AAB9C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AB956,?,?,?,?,?), ref: 012ABA17

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 29dab81a2a1a585d4c470794007f392671eeab7d5e25f7fa93b734a2101086f9
Instruction ID: c04783239b9b63b8c04b7637374e4679e57d9decd806e89586583b1cf9e7a701
Opcode Fuzzy Hash: 29dab81a2a1a585d4c470794007f392671eeab7d5e25f7fa93b734a2101086f9
Instruction Fuzzy Hash: 6621E3B5D002099FDB10CF9AD984AEEBFF8EB48320F54845AE954B3311D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F81750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F817D0

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 44534ee7a4404cf2854c4dd28add185db51f0214373cc3ed13caa3858eb13608
Instruction ID: 9394750bc13027e8795304fce8c7aef9a990c25ef78dbfe9f3c24f3222b78554
Opcode Fuzzy Hash: 44534ee7a4404cf2854c4dd28add185db51f0214373cc3ed13caa3858eb13608
Instruction Fuzzy Hash: FE212571D002099FCB10DFAAD880AEEBBF5FF48320F50852EE519A7240C7789941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F80F18 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06F80F96

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4b8e0ab290cc0a8a9738b7e97e072ecdaa0f1692625f5737bfa11132728ca08b
Instruction ID: 6c96aa4d8141736d1a6150b8d624a1b7ecdd197065c23e77f6f416c3fade421f
Opcode Fuzzy Hash: 4b8e0ab290cc0a8a9738b7e97e072ecdaa0f1692625f5737bfa11132728ca08b
Instruction Fuzzy Hash: 0C211571D002098FCB50DFAAC8847EEBBF4EF58324F54C42AE559A7241CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A89B8 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012A9731,00000800,00000000,00000000), ref: 012A9942

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c7b907818c61cd7621028564d6bb87cb6c18bf5356a6f06da909686d8cacadd
Instruction ID: 8843ef22c800975fab36984e00d3a078bec3e2b73a499e247f194b7f26284d4e
Opcode Fuzzy Hash: 3c7b907818c61cd7621028564d6bb87cb6c18bf5356a6f06da909686d8cacadd
Instruction Fuzzy Hash: 9D2149B6C0034A9FDB10CF9AD844BDEFBF8EB58314F14846AD555A7210C3B8A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F81539 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F815AE

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: acf41fc10c457edd6f9378643dfb380a583001ac58254be0e4e62c94843a3062
Instruction ID: b2bdfe805e6e2757b7a384b08656e29c18f2e63f07811f0a27715441a80a5cf8
Opcode Fuzzy Hash: acf41fc10c457edd6f9378643dfb380a583001ac58254be0e4e62c94843a3062
Instruction Fuzzy Hash: D0111472D002099FCB20DFAAD844AEFBFF9EF48320F148519E519A7250CB799941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A89D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012A9731,00000800,00000000,00000000), ref: 012A9942

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fae1572d5e7f1f19b39a74e72255df9d3f59576c2a7467a8778f6010fe609d3a
Instruction ID: b166facd101b4ba4d2c7d0bc76e8e4131e39482e8f78cc591520e14ba2e36bb8
Opcode Fuzzy Hash: fae1572d5e7f1f19b39a74e72255df9d3f59576c2a7467a8778f6010fe609d3a
Instruction Fuzzy Hash: 2C1106B6D0020A9FDB10CF9AD444ADEFBF4EB98324F50842ED555A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F81540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F815AE

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 474d6b7834321d9f3229fc9835cfb0613759c4e36b7c88b6de4b2948c439a94d
Instruction ID: 4f27d22cfb4d8bbbc0083c9b9d0a91b04c591bafc61c3b66219a4ce04a6eac65
Opcode Fuzzy Hash: 474d6b7834321d9f3229fc9835cfb0613759c4e36b7c88b6de4b2948c439a94d
Instruction Fuzzy Hash: 1B112672D002099FCB10DFAAD844ADEBBF5EF48320F148419E515A7250C7799940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A98D0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012A9731,00000800,00000000,00000000), ref: 012A9942

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2f2afd9572080fa7b233f0b5b315c83b0d01499650874d129a4b36cc1febbcb3
Instruction ID: 875376a2cbdb388b197447224896cbdc124fd796ac84e2ea5e69bd2a7948b9f5
Opcode Fuzzy Hash: 2f2afd9572080fa7b233f0b5b315c83b0d01499650874d129a4b36cc1febbcb3
Instruction Fuzzy Hash: 0D1114B6D0020A9FDB10CF9AD544BDEFBF8AB58324F14852AD515B7210C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F80E30 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F80E9A

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 98a5e551eb7f0cb21adf2b587bdb5da543e86475ca89f3b48af37a28f4845b1d
Instruction ID: ecfea8e96f5d94cf1bc3b3f1288509fa40b60c1ef0fe2809d42fdae6983bae13
Opcode Fuzzy Hash: 98a5e551eb7f0cb21adf2b587bdb5da543e86475ca89f3b48af37a28f4845b1d
Instruction Fuzzy Hash: C2110471D002498BCB10DFAAD8447DFBBF9AF98324F248819D519B7240CB79A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F8AD68 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06F8B869,?,?), ref: 06F8BA10

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 728d0589fc6025d17838e86352f966af329beac63452b059854e040e9b74efb1
Instruction ID: e4839a45204ae98aabbb87eede060cedbe0c484518aa986ccc82842e9f2858bc
Opcode Fuzzy Hash: 728d0589fc6025d17838e86352f966af329beac63452b059854e040e9b74efb1
Instruction Fuzzy Hash: 331128B5C002098FCB50DF9AD484BDEBBF4EB58320F108459D955B7341D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A8968 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012A9483), ref: 012A96B6

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d9d35f638c86c5ceecce460cbd7e5f6ac71de5c85ae599c726401fad09072a5
Instruction ID: e72c5507dc2e962b9da470e9cddb06972a12a5f2e42bcad4ca2804c89106e1f1
Opcode Fuzzy Hash: 3d9d35f638c86c5ceecce460cbd7e5f6ac71de5c85ae599c726401fad09072a5
Instruction Fuzzy Hash: F4111FB5C002498FCB10CF9AD444ADEBBF8AF88724F54851AD519B7200C378A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F80E38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F80E9A

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bbea4529ea4f0cb566cfcd0ddc9d44f0c7a12a2d711090d3da444710289b68c1
Instruction ID: 8c0d72afc66ece00c2f9f23a8b856c7e1d5b7b3b7803e8d343cabc6f59e2c3c9
Opcode Fuzzy Hash: bbea4529ea4f0cb566cfcd0ddc9d44f0c7a12a2d711090d3da444710289b68c1
Instruction Fuzzy Hash: B5111671D002098BCB10DFAAD84479FBBF9AB88324F248419D519B7240CB78A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A997A Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012A9731,00000800,00000000,00000000), ref: 012A9942

Memory Dump Source

Source File: 00000007.00000002.397702060.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_4An07Q7I8G.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b57edb1a657170845db9c42dcf2ab460f31ee36ab766ab9b481f9034bd055109
Instruction ID: 900584b4f3557921a1f71def0c861483eb8adb7ae8cf217913479d27b13281a3
Opcode Fuzzy Hash: b57edb1a657170845db9c42dcf2ab460f31ee36ab766ab9b481f9034bd055109
Instruction Fuzzy Hash: 1711A1729103069FDF20CF9ED804BDABBF4AF94324F04841ED209A7200C379A445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F8A040 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06F8A09D

Memory Dump Source

Source File: 00000007.00000002.406607344.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f80000_4An07Q7I8G.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 29e723d0661454380509b34eec5dcda1175553b8a9e86804e50ac3bd8c93741c
Instruction ID: 1c68a81232fe0370322a8d667a8dab54a2ac354a3c9c72d089d08bb9b52fae0b
Opcode Fuzzy Hash: 29e723d0661454380509b34eec5dcda1175553b8a9e86804e50ac3bd8c93741c
Instruction Fuzzy Hash: 951103B5C002099FCB10DF9AD984BDEBBF8EB48320F20845AE415A3300C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.394650324.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6719666b46e7c8f18380f14f01038ccd88aa818b1705b2e72fd6e27ff97caea9
Instruction ID: a420bfe28f3fa80d321da0b53d60b379c9d5c333e623b4ae4275dff06b0dd514
Opcode Fuzzy Hash: 6719666b46e7c8f18380f14f01038ccd88aa818b1705b2e72fd6e27ff97caea9
Instruction Fuzzy Hash: 2421D371504280DFDB15DF14E9C0B26BF66FBA832CF34C669E8450B246C376D856DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.394650324.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
Instruction ID: 9d7dff5a821f8e6f0ba2594c94d130a289a08e1eaef3238e836ebbbcb3206d4e
Opcode Fuzzy Hash: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
Instruction Fuzzy Hash: 0F11E676504280CFDB12CF14D9C4B16BF72FB94328F38C6A9D8454B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.394650324.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7f7a5bc7c2883e20385f7ef04ba9726bc5c3ef903715f5379cb51d7e868cbd
Instruction ID: b742c92e0b23359512bd4dc0c7aab7135a2e67a22b0081bbd9c78fb845b5a645
Opcode Fuzzy Hash: dd7f7a5bc7c2883e20385f7ef04ba9726bc5c3ef903715f5379cb51d7e868cbd
Instruction Fuzzy Hash: D801F231408395AAE7104A29EC80B66FFDCEF60328F28855AED865B282C37CDC44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.394650324.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_4An07Q7I8G.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94903156ed8782200001440cc609a8c818903d0e4fb4286d6d6e16814aab283b
Instruction ID: 677791ccfee083ccab8d572fd1f215a2488490cb39974f0edfd18a33c566cca7
Opcode Fuzzy Hash: 94903156ed8782200001440cc609a8c818903d0e4fb4286d6d6e16814aab283b
Instruction Fuzzy Hash: F1F0C272404284AEE7108A16DC84B62FFDCEBA0338F18C55AED485F282C37C9C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 3348, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	9

Executed Functions

Function 06AF9990 Relevance: 4.7, Strings: 3, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NAb&, xrefs: 06AF9D86
T/[, xrefs: 06AF9D90
UUUU, xrefs: 06AF9E62

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: NAb&$T/[$UUUU
API String ID: 0-23906302
Opcode ID: 120517d20336e76b7ffc9079cf5dd221afa9845e4e139cdd0918537f6338a6d6
Instruction ID: 101d343fc6315116b537761094f500b3a9204f929b066fcb39fded0c4f990c9e
Opcode Fuzzy Hash: 120517d20336e76b7ffc9079cf5dd221afa9845e4e139cdd0918537f6338a6d6
Instruction Fuzzy Hash: 01A29375A00628CFDB64DF69C984AD9BBB2FF89300F1581E9E509AB325D7319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06AF1AC8 Relevance: 1.0, Instructions: 1048COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daac3ac88e95e3c7823a1f0691928395ca80ef6c57de4af206113dc8c2ca28dc
Instruction ID: 1f2e0c60e8f8a2b4fe030d2f381de771399f24a9dccde66b7f4d40f91c2aeec6
Opcode Fuzzy Hash: daac3ac88e95e3c7823a1f0691928395ca80ef6c57de4af206113dc8c2ca28dc
Instruction Fuzzy Hash: DDB2B575E00628CFDB64DF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06AFBB06 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7facec716d71ad7063646709f4522cf76b8de211c9b4eb4e0cbbb994d5938c8d
Instruction ID: 21026aba25a3e99c6b7cf8c8505d44d0940fff3e74a9cf33ba28e57a6fc0cb98
Opcode Fuzzy Hash: 7facec716d71ad7063646709f4522cf76b8de211c9b4eb4e0cbbb994d5938c8d
Instruction Fuzzy Hash: 0B428078E11218CFDB54DFA9C984B9DBBB2FF88310F1181A9E909A7355D734AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06AF8E11 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e133552f1963fbf443cdf483c1b5a0cd9eb8e648a6a2800a81b9d61719f0e643
Instruction ID: 387eeb45da30e10591054ac4a2c57fb4df6d10aaa1e58db54c4741604ee2ae20
Opcode Fuzzy Hash: e133552f1963fbf443cdf483c1b5a0cd9eb8e648a6a2800a81b9d61719f0e643
Instruction Fuzzy Hash: B732D370D10259CFEB90DFA9C984A8EFBB2BF49751F15C1A9D508AB221CB30D985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06AF0006 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00d466b894bd86de0170546b75d6e5a7fecfc7c5ec0f0a33a479f86ac5d71ce
Instruction ID: 5be356ed1c8c00f079a243e89b9e4b505660e04d6a4edda06cee3d0801e3bc3e
Opcode Fuzzy Hash: f00d466b894bd86de0170546b75d6e5a7fecfc7c5ec0f0a33a479f86ac5d71ce
Instruction Fuzzy Hash: C0E1073181075A9BCB11EBA8C850A9DF7B1FFD5300F518B9AE5093B215EB706AC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF0040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bd9a8503b48238c13b40df3d3bb3312f64e9ddc2f0d378e3bba35bcf2d9ede
Instruction ID: 3cd9bfc4ad2a5705ce002eb34a6c9f691fa0de077c1825af4c55207c8c295399
Opcode Fuzzy Hash: 76bd9a8503b48238c13b40df3d3bb3312f64e9ddc2f0d378e3bba35bcf2d9ede
Instruction Fuzzy Hash: 42D1D831C1075A9ACB10EBA8C950A9DF7B1FFD5300F518B9AE5093B214EB706AD8CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF58CE Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674ca278df1bf9fbab559c87e925853abfccfef5ba1bf0e8a754ef5ebc2e8ec0
Instruction ID: d31d5ab84447f37dfe4742d15ba979393c23cf4fc529b3b8f7f76299a5889a27
Opcode Fuzzy Hash: 674ca278df1bf9fbab559c87e925853abfccfef5ba1bf0e8a754ef5ebc2e8ec0
Instruction Fuzzy Hash: 3E810174E142198FCB54EFEAC4845AEFBF2BF58310F24852AE518EB215E7309942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5410 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cf120f440c7bded083be2cee10a263fd42eb4c3b6d49c598cd8f6603e9b075
Instruction ID: 3d42fdca37093be51401641f886c7463afbe9f7d3e211f92f0e9a3a6bb4eb7f4
Opcode Fuzzy Hash: 67cf120f440c7bded083be2cee10a263fd42eb4c3b6d49c598cd8f6603e9b075
Instruction Fuzzy Hash: EC610775E0421C9FEB44DFE9C8446AEBBF6FF88301F14802AE919AB258DB345906CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B768 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8B7C8
GetCurrentThread.KERNEL32 ref: 00B8B805
GetCurrentProcess.KERNEL32 ref: 00B8B842
GetCurrentThreadId.KERNEL32 ref: 00B8B89B

Strings

xty, xrefs: 00B8B8C7

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID: xty
API String ID: 2063062207-3341391248
Opcode ID: 347d1d80dcbae0eca76e8ae875a760e7eef603db18cb7456f0315d0db76c8d1e
Instruction ID: 1e6a3b679eccc0aab0df64f87787a06a0f1234e095fabb6bd94f53fddbf413b0
Opcode Fuzzy Hash: 347d1d80dcbae0eca76e8ae875a760e7eef603db18cb7456f0315d0db76c8d1e
Instruction Fuzzy Hash: 8D5144B09017098FDB24DFAAD988BDEBBF5EF88310F208559E409A7760DB746844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B763 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8B7C8
GetCurrentThread.KERNEL32 ref: 00B8B805
GetCurrentProcess.KERNEL32 ref: 00B8B842
GetCurrentThreadId.KERNEL32 ref: 00B8B89B

Strings

xty, xrefs: 00B8B8C7

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID: xty
API String ID: 2063062207-3341391248
Opcode ID: e9651abf0f25391f0a7b10d3e061547b78bcecfc61c7d4792167df4a7d14e457
Instruction ID: a1461e57d07003c71265211163dc4ddee8b013787478f57d4c977c886d77a505
Opcode Fuzzy Hash: e9651abf0f25391f0a7b10d3e061547b78bcecfc61c7d4792167df4a7d14e457
Instruction Fuzzy Hash: 155155B09017498FDB14DFAAD988BDEBBF5EF88300F208569E409A7761D7745844CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00B89470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B896B6

Strings

pNf, xrefs: 00B895EE
pNf, xrefs: 00B89613

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID: pNf$pNf
API String ID: 4139908857-3819835515
Opcode ID: d96ab648f9fa07aed0b4d8ffc260d907c503c7632d96e1d7ddddfb861283308b
Instruction ID: 757f5c7376adb3d5fdca63d47f98f884ab3e9927a99eca81095390fb12a7ead7
Opcode Fuzzy Hash: d96ab648f9fa07aed0b4d8ffc260d907c503c7632d96e1d7ddddfb861283308b
Instruction Fuzzy Hash: 4E713570A00B058FDB61EF2AD4506AABBF1FF88310F04896DD446D7A60EB74E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AFD770 Relevance: 3.0, Strings: 2, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Q\, xrefs: 06AFDFD6
{Q\, xrefs: 06AFDF22

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: {Q\${Q\
API String ID: 0-630889214
Opcode ID: 930f5ac4d9ab978fd4fe4504b187a1d278941310d14418673af6b74c49ad4aba
Instruction ID: d1110494943c1f32957e5e4b48e96216f3e13648eea5422940d704d8cdf26ee4
Opcode Fuzzy Hash: 930f5ac4d9ab978fd4fe4504b187a1d278941310d14418673af6b74c49ad4aba
Instruction Fuzzy Hash: B8424774A00219CFD790EF68D994A9DBBF2FB88340F1085A9EA09EB319DB309D55CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06AFD780 Relevance: 3.0, Strings: 2, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Q\, xrefs: 06AFDFD6
{Q\, xrefs: 06AFDF22

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: {Q\${Q\
API String ID: 0-630889214
Opcode ID: 6e3b07d86d0b5eddbef8f1b7e3fb16b591ccbc8fe054e9d18f28bfe169cb6834
Instruction ID: 173b4d047b0dd541343e9d3a1d2e1a6b84b2065b136d17feaba847c4dbf1725b
Opcode Fuzzy Hash: 6e3b07d86d0b5eddbef8f1b7e3fb16b591ccbc8fe054e9d18f28bfe169cb6834
Instruction Fuzzy Hash: 57324774A00219CFD790EF68D994A9DBBF2FB88340F1085A9DA0AEB319DB309D55CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0687193D Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06871B7E

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a17cdfa5d6b3b0c3c0631915ed94a728693f3f7db4fb274d61866f941793befb
Instruction ID: 94577e0b1dbc4c74aac236097baad9cc81e1b5c9ec3663c54d1b95c30008a66e
Opcode Fuzzy Hash: a17cdfa5d6b3b0c3c0631915ed94a728693f3f7db4fb274d61866f941793befb
Instruction Fuzzy Hash: FEA14971D00219CFDB64CFA8C885BEDBBB2BB48310F1885A9E849F7640DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06871948 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06871B7E

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 50dc91e2a04e6513e68b2c86d921cb3d5d3913ba44fe0336ccbe40b5279caf3c
Instruction ID: 78b06c5d6407c15e2655d4c5a3d299292cf94425b77b1f28f3a3285f4032b583
Opcode Fuzzy Hash: 50dc91e2a04e6513e68b2c86d921cb3d5d3913ba44fe0336ccbe40b5279caf3c
Instruction Fuzzy Hash: 19915971D00219CFDB64CFA8C885BEDBBB2BB48310F1885A9D849F7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B8FDCC Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B8FEEA

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9a6d454dfbc13d6447aad75fbdf19a320d78cab076ec05dd2db0ff668cd54c51
Instruction ID: 4d212a0fffdd908abd3a2d61b4c1438b96b4564350ec2cb7513c3488a756ab45
Opcode Fuzzy Hash: 9a6d454dfbc13d6447aad75fbdf19a320d78cab076ec05dd2db0ff668cd54c51
Instruction Fuzzy Hash: 7C51CFB1D003199FDB14DFAAC884ADEBFB5BF48310F24816AE419AB261D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8FDD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B8FEEA

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c8f053d50f8b08a5cef8bc540bacaefef1ad01976c6eb674966487ed7294a78c
Instruction ID: 67f95a6696d2dc788092e95cde271bf47c07fdddfecac1261488b913c1328458
Opcode Fuzzy Hash: c8f053d50f8b08a5cef8bc540bacaefef1ad01976c6eb674966487ed7294a78c
Instruction Fuzzy Hash: 2841AFB1D103099FDB14DF9AC984ADEBBF5FF48310F24816AE419AB260D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B85344 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B85401

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 92a75d449fb0294aa6eda5ca74c4b7201392ce6ec25bddb2a7160206a007e749
Instruction ID: 97c43b26bed02ba86f56b785298dba56fad7df577b9bc3b0844f5209d74ccf44
Opcode Fuzzy Hash: 92a75d449fb0294aa6eda5ca74c4b7201392ce6ec25bddb2a7160206a007e749
Instruction Fuzzy Hash: 3641E371C00619CFDB24DFA9C9847CDBBB1BF48304F2481A9D409BB255D7B5598ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B83DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B85401

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cdb6f9cf2c26c42e6ec733f53bb98c92a018b3ee9ca076df15718352399fa61b
Instruction ID: 07dbb9d4c9bd00b9e1ad8361d6506616cce38626770195232fa1103c816aa80d
Opcode Fuzzy Hash: cdb6f9cf2c26c42e6ec733f53bb98c92a018b3ee9ca076df15718352399fa61b
Instruction Fuzzy Hash: 9141D271C00619CEDB24DFA9C884BDDBBF5BF48304F2481A9D409BB255D7B56989CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06871628 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 068716C0

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b5e78fbb795a7cc7732a150119a412df8804d5d85d0d001a09ff9c55557c958e
Instruction ID: 1f2a01987e0e2bdffb1b1cb05d6e662bd54631fc6838f5b09bf31ac274829f69
Opcode Fuzzy Hash: b5e78fbb795a7cc7732a150119a412df8804d5d85d0d001a09ff9c55557c958e
Instruction Fuzzy Hash: BF2145719003099FCB10DFAAC8847EEBBF5FF48310F54842AE959A7241D778A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B898D0 Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B89731,00000800,00000000,00000000), ref: 00B89942

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 363a7e52de9f2188fc2745c98bf101045158dd04e0fcc44a897b1ffe7f343f86
Instruction ID: 850613407dd57b3933826919784bce222b30c37e4d04193ccf9a841d3b02e514
Opcode Fuzzy Hash: 363a7e52de9f2188fc2745c98bf101045158dd04e0fcc44a897b1ffe7f343f86
Instruction Fuzzy Hash: 512189B5C043498FCB11DFAAC444AEAFFF4AF59320F18819ED455A7250C3745944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06871630 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 068716C0

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d2bbf7140350508d02dfec760eb51849e0875f41b380ac1540a98a1b8e61598d
Instruction ID: f462185b9d140ba78f44ee0f25a32b606c12be5f4d9bf6c1bd197d9908ee2736
Opcode Fuzzy Hash: d2bbf7140350508d02dfec760eb51849e0875f41b380ac1540a98a1b8e61598d
Instruction Fuzzy Hash: 3B211571D002199FCB50DFAAC884BDEBBF5FF48310F54842AEA59A7640D7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06871748 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 068717D0

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 566b6f41930a9f65a3c0ebc1220e8038ae42cb81ba9f9a7aff9a995bad425ce7
Instruction ID: 50544623e99e106c65a8213aa68d1f2a07827ecd973dd4957920e91dc8c762aa
Opcode Fuzzy Hash: 566b6f41930a9f65a3c0ebc1220e8038ae42cb81ba9f9a7aff9a995bad425ce7
Instruction Fuzzy Hash: E7214571C003099FCB10DFAAC884AEEBBF5FF48320F50842AE559A7650C7789945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06870F10 Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06870F96

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 786a3572f3200caa7ea042b6afd6ef160ba224654c97591b8743a1a06db7cfc3
Instruction ID: d762a5b8947abc59210a333ec99f48018bc2973a55be571128ae2b9ea5593346
Opcode Fuzzy Hash: 786a3572f3200caa7ea042b6afd6ef160ba224654c97591b8743a1a06db7cfc3
Instruction Fuzzy Hash: 832145B1D002098FCB50DFAAC4847EEBBF4AF58320F54842ED559A7241C7789944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06870F18 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06870F96

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e0d38ddebde109fecf0cb60db0c4c3918b6e41c35301954073210dd559422b1c
Instruction ID: ed82312e2d217f4d039b5e7345694730011e154674ea97aa7cf8838904812ea1
Opcode Fuzzy Hash: e0d38ddebde109fecf0cb60db0c4c3918b6e41c35301954073210dd559422b1c
Instruction Fuzzy Hash: 1B2138B1D002098FCB50DFAAC4847EEBBF4EF58324F54842AD519A7241CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06871750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 068717D0

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e1f0e49646231aa6f71e6c3c380062756cc96f254f3080bee7bf08255f65c668
Instruction ID: d4b485bb921982d06a4c61085779a75a4a44ace66daba38ede3ad4ff1e15c802
Opcode Fuzzy Hash: e1f0e49646231aa6f71e6c3c380062756cc96f254f3080bee7bf08255f65c668
Instruction Fuzzy Hash: 65212571D002199FCB10DFAAC884AEEBBF5FF48320F54842AE559A7240C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B990 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8BA17

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1ad251b1bac1dcc9041917674dace9e089e524423d5ab6f5f30ee6c90bb781e5
Instruction ID: ef95198c96439b6693657f5f87a8dc8a256be533ff02608a1c275fd79f0bc6c6
Opcode Fuzzy Hash: 1ad251b1bac1dcc9041917674dace9e089e524423d5ab6f5f30ee6c90bb781e5
Instruction Fuzzy Hash: D521C2B5D002199FDB10CFAAD984ADEBFF8EB58320F14845AE915B7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B98B Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8BA17

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2aba707f16b93fb04966170b139a48b80f54f595e5cdaf0be2da14de84aee2ae
Instruction ID: dcf51a2a1604184760bd35b8b80aeda0a6c7d1ff9de7329701e8df2e156d4c9d
Opcode Fuzzy Hash: 2aba707f16b93fb04966170b139a48b80f54f595e5cdaf0be2da14de84aee2ae
Instruction Fuzzy Hash: 2621E3B5D002499FDB10CFAAD984AEEBFF4EB58320F14856AE855B3350C378A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B889D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B89731,00000800,00000000,00000000), ref: 00B89942

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d488b5044bd7d8235cc9a95ad373c3a888a5d988a7a2bdbf1e061ba898849f3
Instruction ID: 0a449dfa74069829729a78da8d473224d3fd401279d3e3f700286acc1cd07a4f
Opcode Fuzzy Hash: 0d488b5044bd7d8235cc9a95ad373c3a888a5d988a7a2bdbf1e061ba898849f3
Instruction Fuzzy Hash: DA1114B6D002098FCB10DF9AD444AEEFBF4EB98320F14846ED415B7610C3B8A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06871539 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068715AE

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22d45573f2c82a8aab3bbc03b570d91abb0612b2e0885423f3ee12b3795c1332
Instruction ID: 7fbc2876aa5a582a2d00e2db7558f8c226295b0340ae24b6d45ef9049e711286
Opcode Fuzzy Hash: 22d45573f2c82a8aab3bbc03b570d91abb0612b2e0885423f3ee12b3795c1332
Instruction Fuzzy Hash: B5118672D002098FCB10DFAAC884ADFBBF5EF48320F14881AE51AA7600C7789940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06870E30 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06870E9A

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7870c6e00a92d5464367c71585984ed99bb113fc5d1f30dd8b73747e0b24072e
Instruction ID: 7fedea7cabd6d18bb626ab2a2d80ae4f6f2b138abb3240c1493540036ac5ce78
Opcode Fuzzy Hash: 7870c6e00a92d5464367c71585984ed99bb113fc5d1f30dd8b73747e0b24072e
Instruction Fuzzy Hash: 53112671D002498EDB10DFAAC4447AEBBF4AF98324F24881AD555A7200C779A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06871540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068715AE

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c8386a31171defbd432b016bdbb8496d90a2b60044aeb82032813905c7c52897
Instruction ID: 5ad5ac3ef0367d92ed94fcd22206ed6f47515dbf1929f662dc402a27b6675de5
Opcode Fuzzy Hash: c8386a31171defbd432b016bdbb8496d90a2b60044aeb82032813905c7c52897
Instruction Fuzzy Hash: E6113771D002099FCB10DFAAD844ADFBFF5EF48324F148419E515A7250C7799944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06870E38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06870E9A

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6808ad97f23eaac5d03e198f30119b3774cbc67350edd988ebe6550af5cd540a
Instruction ID: 0a6780250cb5fed574f3d059e6cc4e7cd3b6e07d8085a068b56b2145e30fcbc9
Opcode Fuzzy Hash: 6808ad97f23eaac5d03e198f30119b3774cbc67350edd988ebe6550af5cd540a
Instruction Fuzzy Hash: AC11F8B1D002498FDB10DFAAD8447DEBBF5AF98324F148419D519A7240C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B89650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B896B6

Memory Dump Source

Source File: 00000008.00000002.397682772.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b80000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 65f6e6dc34d359729b2f0047792f814a6f5c815ac8dd1b2da45f23ce8b41b2c5
Instruction ID: 4e924c420428ffbeb7f150988755bd9561d508e4faf1847ec05162e3dc12f99e
Opcode Fuzzy Hash: 65f6e6dc34d359729b2f0047792f814a6f5c815ac8dd1b2da45f23ce8b41b2c5
Instruction Fuzzy Hash: 531110B6C002498FCB10DF9AC844ADEFBF8EB88324F14855AD429B7210D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0687B9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0687BA10

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bd008122e24605f7678d08f59a54feb46c7488cc373a99c4fb5ce82133a5808a
Instruction ID: 4ba3f3f2d58471fc7c2e109fb3ad586eb91d2c884bb09580427be2eb2c2b5885
Opcode Fuzzy Hash: bd008122e24605f7678d08f59a54feb46c7488cc373a99c4fb5ce82133a5808a
Instruction Fuzzy Hash: 7F1103B5C002098FCB50DF9AC584BDEBBF4EB58320F14845AD559B7340D778A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0687A040 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0687A09D

Memory Dump Source

Source File: 00000008.00000002.410352706.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6870000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6b84401ecb6e1fa912e6c4a91c21cc029d2681bd1e110ab9b135bcc8e4614bb3
Instruction ID: 0a6742abf1a3de0c0dbf42177bd876f889daff3b74173bedae97591bd50a7a78
Opcode Fuzzy Hash: 6b84401ecb6e1fa912e6c4a91c21cc029d2681bd1e110ab9b135bcc8e4614bb3
Instruction Fuzzy Hash: 6B1103B58002099FDB10DF9AD984BDEBBF8EB58320F10881AD514A7600C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF42CF Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

@, xrefs: 06AF43C7

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c5ae1dec72363cca5ef1dd108bf4f5308f407f86bc366320c2dce0b893c8d19c
Instruction ID: 58a765b06513f9d75e743f3cc35b2c0023f713b98c7f210daac0f1dea921e4ca
Opcode Fuzzy Hash: c5ae1dec72363cca5ef1dd108bf4f5308f407f86bc366320c2dce0b893c8d19c
Instruction Fuzzy Hash: B7B17D78E142198FDB50DFA9D880A9DFBF1FF49214F1491AAE918EB306D730A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06AFF7B0 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

D0q, xrefs: 06AFF903

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: D0q
API String ID: 0-2992449603
Opcode ID: 1ea6657f9356e33ab2de4d5e43a51fee20e867be6adf8a779d126aeff41ead10
Instruction ID: a9c625eff4ec293cf97d07b5c2ff79dcc8254891728f647926ddde4f0c6a0431
Opcode Fuzzy Hash: 1ea6657f9356e33ab2de4d5e43a51fee20e867be6adf8a779d126aeff41ead10
Instruction Fuzzy Hash: 2151D331F112058FCF55ABF989602AEBAB2AF85340F200569E606B7390DF759D01C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 06AFC2B0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

r, xrefs: 06AFC45A

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 1052f2c1eb26c9ec514dabaf01b2e58d7cb5d05dd8a9425bdca05787ba0f74d0
Instruction ID: 33d075bf1f2c46922500b3fa93bb0a6c07bba694f211b667fb27dd618a4a6b8c
Opcode Fuzzy Hash: 1052f2c1eb26c9ec514dabaf01b2e58d7cb5d05dd8a9425bdca05787ba0f74d0
Instruction Fuzzy Hash: 90614D7490020ADFCB44DF9AC5848AEFBB2FF88351B618695D90697355C734EE81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFC2A3 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

r, xrefs: 06AFC45A

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 7f2d0cd9f983da69821a1dc90d43631fae1a0031b0ee73a35d2d99ed3d95d814
Instruction ID: 717ee055298b46c80083386d4c889d5444938734b81a2e421b1b51260881c075
Opcode Fuzzy Hash: 7f2d0cd9f983da69821a1dc90d43631fae1a0031b0ee73a35d2d99ed3d95d814
Instruction Fuzzy Hash: E1316074D06209CFCB58DFAAC5444AEBFF2FF89301B1084AAE906A7351C7349A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06AF4A3A Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

$,q, xrefs: 06AF4A53

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID: $,q
API String ID: 0-532241818
Opcode ID: 3cc143719bbf1e2e8aec9730d90cdf1927a6ca1248ec9ce6865673faff648df1
Instruction ID: 6b268e3dcd4a21d5ba8ddb01621f30781ae898720fa43b79d0c15cba4546ce23
Opcode Fuzzy Hash: 3cc143719bbf1e2e8aec9730d90cdf1927a6ca1248ec9ce6865673faff648df1
Instruction Fuzzy Hash: 1211D074E04119CFEB85EF98D4405AEB7F2FB88201F104569EA11AB395CB38AD05CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 06AFEE5B Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97526fc02fc9a3acb07f3c2b7e24c5a8aa2eeb9814ca883b7b115a8a68c4101
Instruction ID: 2ff059f0859802341d150ed8aca3ad02d54792f2a28e7faf4fd33c7382aa874a
Opcode Fuzzy Hash: b97526fc02fc9a3acb07f3c2b7e24c5a8aa2eeb9814ca883b7b115a8a68c4101
Instruction Fuzzy Hash: 4FE16034E001099FDB55EFA8C850BAEBBB2FF89310F248069E905BB358DB359D51CB56

Uniqueness

Uniqueness Score: -1.00%

Function 06AF11C0 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f16bf8482ff42986d650b81f6dda5bf90d74413b329a2c558fdde3adeb6ea4
Instruction ID: c9ff43f540babe864123398b50271899f48a8312d972c9539f44229f998c94ff
Opcode Fuzzy Hash: 77f16bf8482ff42986d650b81f6dda5bf90d74413b329a2c558fdde3adeb6ea4
Instruction Fuzzy Hash: 50F14B74A00109DFDB44DF98D484AADFBB2FF89304F1581A9E909AB365CB34AD85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06AF11B3 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295fc365f403536721c813d7a744ce5797ceb73319004e7fc15493d959678b82
Instruction ID: 5e0c6745bbcb2ce3ae27f3e2a7ad4959355f486eb88ee3be06e334727002de1a
Opcode Fuzzy Hash: 295fc365f403536721c813d7a744ce5797ceb73319004e7fc15493d959678b82
Instruction Fuzzy Hash: F9D11674A00208DFDB44DFA8D484A9DBBF5FF88305F1581A9E909AB365CB34AD45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06AF10B4 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352c3444df1772b4ac935e7f3f17710527e16d4ca584662b207d55e7608f9764
Instruction ID: dc9679d4d916f4d9848ff01d6db9e80e191c0d104d2642ea136c4d39d7abe6da
Opcode Fuzzy Hash: 352c3444df1772b4ac935e7f3f17710527e16d4ca584662b207d55e7608f9764
Instruction Fuzzy Hash: 5EA1E574E002099FDB54DFE8D4546AEBBB6FF88301F20802AE906AB355DB349D45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AFAC20 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5295515ca5725e4d8c259cd4b1789751d3b62504505f02c2e76f8aa1ecf01991
Instruction ID: c421668ef36c504a3eee3850002837b3c42c46e6b0306cb9ad4d2d892e246f0d
Opcode Fuzzy Hash: 5295515ca5725e4d8c259cd4b1789751d3b62504505f02c2e76f8aa1ecf01991
Instruction Fuzzy Hash: 2A91D674E0025E8FDB44DFA8C8909DDBBB2FF88310F108A69D505AB355DB34A946CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06AF37D8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac651b4e95018ccfce63c9a1f6f67a73e642384536ea9a9dc56c6dfc1c25df05
Instruction ID: 2d5680a5512aa340faf73ea856e5c524600d1e1f55190aad7a0d1c6bab21b9e4
Opcode Fuzzy Hash: ac651b4e95018ccfce63c9a1f6f67a73e642384536ea9a9dc56c6dfc1c25df05
Instruction Fuzzy Hash: 1051F574E002089FEB54DFE5D8546AEBBB2FF88304F109029E915BB394DB385946CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06AFA9F8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c9e1c6977847a04d5d0053e82df5f6628fdfd874eaababe3f0a436aeaa85c8
Instruction ID: e458a94115301bfb3650a1bcff6b0103cbaae595475d7d9c0f220b96581cbf3d
Opcode Fuzzy Hash: 72c9e1c6977847a04d5d0053e82df5f6628fdfd874eaababe3f0a436aeaa85c8
Instruction Fuzzy Hash: F051B274E012188FDB08DFE9D9506AEBBF2FF88300F20812AE919BB354DB355946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06AFA9E9 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ef6a700a3cd74523e8bb26e183e245ee858b9784373d9ba50817f23b692191
Instruction ID: 2b50aa9d410127a83a147e8ef54625452fe96b46dbd05cd1962a3949bd35855a
Opcode Fuzzy Hash: e1ef6a700a3cd74523e8bb26e183e245ee858b9784373d9ba50817f23b692191
Instruction Fuzzy Hash: 5651E575E01218DFDB08DFE9D94069EBBF2FF88300F20812AE919AB354DB355946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF0E3C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2501c242273b3c506a1506095f739c853792cae05a181970c9a497827de6c66c
Instruction ID: 6144a841ef5fc42df90fcfb4aeb23ec1532947c2fe810a8e4d80344d62961221
Opcode Fuzzy Hash: 2501c242273b3c506a1506095f739c853792cae05a181970c9a497827de6c66c
Instruction Fuzzy Hash: 0E41A371A142099FDB40EFE9D8806EFBBF5FF84310F14842AE915A7240D7799905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF2DC0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204f5930eed10a135b2ee4bf133ffe842614e9a29fab3233e493435e6a86b30e
Instruction ID: ca1c140fde29a0efa80ae76981aea43dc858addcab6f0c6a9f594c934cf90980
Opcode Fuzzy Hash: 204f5930eed10a135b2ee4bf133ffe842614e9a29fab3233e493435e6a86b30e
Instruction Fuzzy Hash: 21311835A002195FD754EBA9C8606BF7BABEFC1310F14C079E9169B381DE358D058791

Uniqueness

Uniqueness Score: -1.00%

Function 06AF4F08 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58092924f5b4c20362a45e338a7a5fb751b1fa6bfbb49a15846bd538c5c8037
Instruction ID: b16e0dd6f7e5f409c0192f3285acfb8827394de54732b6ff5a362185f9d8504b
Opcode Fuzzy Hash: c58092924f5b4c20362a45e338a7a5fb751b1fa6bfbb49a15846bd538c5c8037
Instruction Fuzzy Hash: BB41BB72A042489FCF50DFA9D884ADFBFF4EF49324F04806AE519AB211D735A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB25F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde6c7d8af21c7200aa212a7439dcc16927fb1eabba173925007c4601e6a6abc
Instruction ID: ae8a1806ac70a195307ffa43080fdd53752f2b6f5068ba6ca4e3dae108f6dbde
Opcode Fuzzy Hash: dde6c7d8af21c7200aa212a7439dcc16927fb1eabba173925007c4601e6a6abc
Instruction Fuzzy Hash: 90315B74E052098FDB08DF9AC8446AEFBF2FF88300F14C16AE519A7291D7345941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5F38 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36169ca7ac2d46c8b9d263f1a50a2d4e684954b441926ee0050ae93d9a51f51
Instruction ID: e63e44630d52892d93fc36f4c57828d9565313ccf5bbef8301066dabc5b6ae5b
Opcode Fuzzy Hash: a36169ca7ac2d46c8b9d263f1a50a2d4e684954b441926ee0050ae93d9a51f51
Instruction Fuzzy Hash: BE313A34E10208DFDB45DFA9C444AAEBBF6FF88750F1480AAE911AB354D7349945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 06AF41B9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502c285350a14f94cbd25b75ad0731ffc3d92f99247b0b72483e9d7a4cec565d
Instruction ID: 3f3fd5db43429e1340744e4d477f6635772cbbbf41c8b38f5ba01fbd4a7ed474
Opcode Fuzzy Hash: 502c285350a14f94cbd25b75ad0731ffc3d92f99247b0b72483e9d7a4cec565d
Instruction Fuzzy Hash: 84319FB4E1120A9FDB40DFE9D9446EEBBF4EB48200F1084AAE914F7601E7359A40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFCE98 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aeefe26dffdb5c871a825dbdcd433e2fc0e42a89a5eeecbd7734f6b32c4b21
Instruction ID: c051db3d1769ea289abfd0bca9a138550349045e08430bf7b42e0c9f3017bce6
Opcode Fuzzy Hash: 29aeefe26dffdb5c871a825dbdcd433e2fc0e42a89a5eeecbd7734f6b32c4b21
Instruction Fuzzy Hash: 5331D074E102099FCB40EFA9D884AEEFBB1FF88720F10816AE515B7240D734A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.394711078.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958bb80670474940b0041468081fac8e74ac4ae2b74b382c776226b901516202
Instruction ID: ae4ca8686bd3f409089b45718756c284b02ac3ad100db97a706c7d467554003e
Opcode Fuzzy Hash: 958bb80670474940b0041468081fac8e74ac4ae2b74b382c776226b901516202
Instruction Fuzzy Hash: C521F275A04240DFDB14DF14D9C0B26BF66FB88314F24C569E80A4B346C33AD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB368 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561a6b85aa6c480cc651eccc1eb2fd9135178b6b1e4d4d27626352758cb6058e
Instruction ID: 693187ad67abcf104bd8a1b8860ff85ec4879c6d802c25bb8a440d177d0606f0
Opcode Fuzzy Hash: 561a6b85aa6c480cc651eccc1eb2fd9135178b6b1e4d4d27626352758cb6058e
Instruction Fuzzy Hash: 0931E378E012089FDB44DF99D180AEEBBF2EB8C310F1141AAE909A7754C735AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3F61 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61f142f483833eb49265ac8bce1d77891514d7e24cacef96606df1b9dc65636
Instruction ID: d44245c87d34e8deb3608456119d9f9cf66eb2a6b57207e0d9981b0b697fc4cf
Opcode Fuzzy Hash: a61f142f483833eb49265ac8bce1d77891514d7e24cacef96606df1b9dc65636
Instruction Fuzzy Hash: CB211A34D15208EFCB90EFE8E4546ADBBF4EB88200F1085AAE918E7351D6355E05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB378 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7938c018b6d8596464bd7f694a35d79d596f38a4e26d933a0ee4a5c6edfb244
Instruction ID: 5426523247e270d6ce09dc174284431590f5cbd55b66829bc5ec847a513e3b5a
Opcode Fuzzy Hash: c7938c018b6d8596464bd7f694a35d79d596f38a4e26d933a0ee4a5c6edfb244
Instruction Fuzzy Hash: D121B078E012088FDB44DFA9D580AEEBBF2EB8C311F1141A9E909A7754D735AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFC598 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd4a2d4ee13e87900a9bd2b45f2d847d07bce0b403e7480caf5a30d82a5535c
Instruction ID: 1490a26d4b17d5005172dce47517a859d5b74eaebfb679f6de4ce58a7e62410d
Opcode Fuzzy Hash: 1dd4a2d4ee13e87900a9bd2b45f2d847d07bce0b403e7480caf5a30d82a5535c
Instruction Fuzzy Hash: 2721CD74A04208DFD714DBA9C544E5ABFF2EF8A320F19C1D9EA489B2A2C730DE01DB41

Uniqueness

Uniqueness Score: -1.00%

Function 06AF2E88 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d03dc7fcd568315a6f7ea26d29a591413cbc2bab7c2b0753fcf1087a43d6b7
Instruction ID: c12a0f41ad972bcf7ee36d9c74061b10ecb7ae48883dd563ca6ab522901d29f4
Opcode Fuzzy Hash: 63d03dc7fcd568315a6f7ea26d29a591413cbc2bab7c2b0753fcf1087a43d6b7
Instruction Fuzzy Hash: 5E11C236A242159BEB84EF95DC805BF7BB7FF85210704C43AE9168B045EA359916C351

Uniqueness

Uniqueness Score: -1.00%

Function 06AFEDA8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac736704c5e6573d9c6fefd61e27c76c09bc6d52a902a5dcfb4685f6a276b8e0
Instruction ID: 76c52f1cfcad37d68576ef142830e3df80dd04b220722f7bca15a07232d14090
Opcode Fuzzy Hash: ac736704c5e6573d9c6fefd61e27c76c09bc6d52a902a5dcfb4685f6a276b8e0
Instruction Fuzzy Hash: 1611A730F10115BFDBB4ABB9D81427F7AE6BFC5750F048129FA069B794DA34894087D2

Uniqueness

Uniqueness Score: -1.00%

Function 06AF36A1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789075d710c5a3c7b2b23efea56a6ce692e6d8084d6187903e691772f9e8ceb8
Instruction ID: c00fcdbb2237070278a4e2fe0811aa8bf7e2b3af610436447318134d5eb9058f
Opcode Fuzzy Hash: 789075d710c5a3c7b2b23efea56a6ce692e6d8084d6187903e691772f9e8ceb8
Instruction Fuzzy Hash: E22120B58043499FCB51DFAAD884ADEBBF4EB48320F10855AE918A7211C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFAF2B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b9e4a075e1f7f2cac1839d056a8f1d25002d6769c2d96d033c480b409efe6b
Instruction ID: 9b106d5db01d3c3c741d1f31fa819ee598c81636d435fe670a1a26ce075483eb
Opcode Fuzzy Hash: 63b9e4a075e1f7f2cac1839d056a8f1d25002d6769c2d96d033c480b409efe6b
Instruction Fuzzy Hash: 0C113A74E1021A8BCB40EFA8C5506EEBBB2FF88300F108A25E5157B340EB346E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06AF4ED1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4042d50e7def989f99dde84819b86cc9de5e0d80b3f78c6a813a4831a2e8bacd
Instruction ID: 3ade66193734d8c568253d7f4db877e64946ccbd6b5f2bcbae91c13618ccd226
Opcode Fuzzy Hash: 4042d50e7def989f99dde84819b86cc9de5e0d80b3f78c6a813a4831a2e8bacd
Instruction Fuzzy Hash: 8F11DB725183846FCB52DFB8DC948AABFF8DF0711470941EBE448CB167E6319912C755

Uniqueness

Uniqueness Score: -1.00%

Function 06AF36A8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c35485a29f131029d7d9376ed49cd3a110231e32b2a3ce89c86c88cd8b2513
Instruction ID: ec28da077b3823a0eb1773e7cc2b8ede6ec45672e936d209406d1c03314cecf6
Opcode Fuzzy Hash: 76c35485a29f131029d7d9376ed49cd3a110231e32b2a3ce89c86c88cd8b2513
Instruction Fuzzy Hash: C621FFB5D002099FCB50DF9AD984ADFBBF8EB58320F10841AE919B7200C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF60CC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ba8b9ceffc14db06a84083924677323ebd7e1f7a416da5b91d32aaae1f083b
Instruction ID: 0ddda5154937a4f1848c34b8d3eccf703ae3d56d7691d249c8d7e26b86ec0502
Opcode Fuzzy Hash: 31ba8b9ceffc14db06a84083924677323ebd7e1f7a416da5b91d32aaae1f083b
Instruction Fuzzy Hash: 4D11E5B1C09148EFD740EFE4D8406ACBFB0EB86200F14C1EAE55597251E6719A02DB82

Uniqueness

Uniqueness Score: -1.00%

Function 06AFAF30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6603e0ddb9efe6f3e62f1a88a2563d91a029965b4ec0a1a8f625617bfccc9
Instruction ID: e3fed18fe264d15aa78699512c60b5e33667d628733f399117cd040ee49e03f5
Opcode Fuzzy Hash: 65a6603e0ddb9efe6f3e62f1a88a2563d91a029965b4ec0a1a8f625617bfccc9
Instruction Fuzzy Hash: 06110775E1021A8BCB80EFA8C5546EEBBB2FF88300F108A25D5157B340EB756E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0066D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.394711078.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
Instruction ID: 09b25d697904ee87236edfb590b4719e3598ccc4dbfcc35cc2df8bb0298b0cfa
Opcode Fuzzy Hash: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
Instruction Fuzzy Hash: 0D11BE75A04280CFCB11CF14D5C4B55BB62FB84314F24C6A9D8494B756C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 06AFCE89 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5efc433d0b71e8bd2c187c030ef9e4920f1982766a5fbb1e00f0958060a27d3
Instruction ID: 19c42ca0c7da1403ac5ca2dbe29b380a20876c909af12d99afecdd103cdd9f2f
Opcode Fuzzy Hash: b5efc433d0b71e8bd2c187c030ef9e4920f1982766a5fbb1e00f0958060a27d3
Instruction Fuzzy Hash: 7011AD30D112189FCB04EFA9D844ADEFBB2FF89720F04816AE901BB340CB309945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB4E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cef59642a37119aced14d0ea6efd8d310beb12bf436903e34ae3248ba09b57
Instruction ID: 53b06a72f89269b98ddae6f3b54b9b377f113753057cadec648ae622f24dc23a
Opcode Fuzzy Hash: 93cef59642a37119aced14d0ea6efd8d310beb12bf436903e34ae3248ba09b57
Instruction Fuzzy Hash: 74113C70904248DFCB58DFA8C44098EFFF2EF8A310F1586D9D844AB352D7349A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AFC5A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c595cf92c05fbe7618bef6ec355f8ca4a2302e7ddf5567a3068b383139df9aa
Instruction ID: 1f1c3a1d41bbfbfef8586dbf0595575228cd2574a975ce39e0b544510886c533
Opcode Fuzzy Hash: 8c595cf92c05fbe7618bef6ec355f8ca4a2302e7ddf5567a3068b383139df9aa
Instruction Fuzzy Hash: 77011A35A00108EFC744EFA8D644E5ABBF2EB88701F158195E6099B355DA30EE41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3D28 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a833abbb035b0d4ef6cd95801c13d34b77eb63483e62df6a7980daa4f1f23a3
Instruction ID: 0aace32674b431bdc34bc28b0863e196f7ca47a5bce4fc5b955cfea607ae51bf
Opcode Fuzzy Hash: 6a833abbb035b0d4ef6cd95801c13d34b77eb63483e62df6a7980daa4f1f23a3
Instruction Fuzzy Hash: 29016D78D09248EFDB81EFA8C8012ADBFF8EB49300F0044AAD954A7351D7745A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5018 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d6fbb5c21c98c422aa1e944225d8519889bf7b7937e46cb473a11453d41250
Instruction ID: 0002f871da4a9a768f26f81f09ebcf5b5aec40b8cfa7c6324461793d21275f0b
Opcode Fuzzy Hash: d0d6fbb5c21c98c422aa1e944225d8519889bf7b7937e46cb473a11453d41250
Instruction Fuzzy Hash: 8E012131C043048FCB10AFEEA8083DAFBF0AF54318F14858AD558AB152C379850ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 06AFC538 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f957ddb3b6f73ab61c1ab3655f6beca35c9f7fb45d29c165739fb244a4488157
Instruction ID: c042a99810b362a829edb71d73c03274a2a36d2bf12f2c97f2f9c1b02dba2ad8
Opcode Fuzzy Hash: f957ddb3b6f73ab61c1ab3655f6beca35c9f7fb45d29c165739fb244a4488157
Instruction Fuzzy Hash: 5EF0F634905244DFD719DF69C8009DBFFB1AF96314F0489E6E4449B2A2C7349F02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB5C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b224e3c25d6273662130fc4d62963e471c10496aee9f5f2b5a9dc17d6d10d1
Instruction ID: 9dcc264c0c8f5860a38876947435d27fc2ed18987928bfefddc37c80da190b36
Opcode Fuzzy Hash: f2b224e3c25d6273662130fc4d62963e471c10496aee9f5f2b5a9dc17d6d10d1
Instruction Fuzzy Hash: 6AF0DAB0D1420A9FDB94EFA9C841AAEBBF4FB48200F5045A9E918E7340E77496418FE1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3DE0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0624860bed26265abb2b8b7a07f155449739a88ced5812dd7458001928c59f1
Instruction ID: 41a3990a01253218d9774b4ac7c1f6615cd4f94cc635db865ef0997ebd607135
Opcode Fuzzy Hash: a0624860bed26265abb2b8b7a07f155449739a88ced5812dd7458001928c59f1
Instruction Fuzzy Hash: 52F03A74D18308EFC751DFA8D940AA8BBF4FF49204F1480DAD95993341D635AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3ADA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26044268ab37677e066ce7320454e3a4d87910549abf2a9e9c2902af610c933a
Instruction ID: b7d456fce4e53593bcc4ea17437493050bb52f98b064756587cac2b11ecd1212
Opcode Fuzzy Hash: 26044268ab37677e066ce7320454e3a4d87910549abf2a9e9c2902af610c933a
Instruction Fuzzy Hash: BBE0927141B258EFC742EFF1D902AEA3FB8EB03210B0405D3E241AB522D5354E04D7E6

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3BB7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5227e4b73e027541dd8ab6244bccb481bde31cf2853b148d8539027be2dd58
Instruction ID: 30200455c4c45f715c0ae4a5ab80d0847902ac8571469e3e127c39e2ba76f4fc
Opcode Fuzzy Hash: ba5227e4b73e027541dd8ab6244bccb481bde31cf2853b148d8539027be2dd58
Instruction Fuzzy Hash: A2F0BE34409248EFCB12DF94C8209ADFFB4EF45200F14809EED4457292C732A912DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3B20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fcc6daf3a4e66d7717e49c54394a4637bffbb3ab6f3a73694f3a9fb1fb6590
Instruction ID: 06fb252adc402b14fcc3304c62c3c2a0b2f2f880d5cf2b06b85964aa67b023d4
Opcode Fuzzy Hash: 48fcc6daf3a4e66d7717e49c54394a4637bffbb3ab6f3a73694f3a9fb1fb6590
Instruction Fuzzy Hash: 2DF09A34909288EFCB12CF94C820DACFFB0EB4A210F14C5DEED8497252C3324A55DB92

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5737 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f093174b9d44114e8d2afec667710859f9a7bc45690c32e6181fd9168f12b0
Instruction ID: 37d16888c542843ac6c01b03d952a32fbf40008d1ceb63943acc6453f505ac10
Opcode Fuzzy Hash: e6f093174b9d44114e8d2afec667710859f9a7bc45690c32e6181fd9168f12b0
Instruction Fuzzy Hash: 29F03F38E05208EFC794EFA8D590AA9BBF4FF48204F04C5AAD949D3341D3349A02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3390 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1913c82d1dc7e8c8c80d881f0d3ecce4ebbbfd097a8e888a9b99fcdb605b894d
Instruction ID: 2dce2d4208222632354216a3e7a8ef605fe474d13748469dda62d68fc7f1f865
Opcode Fuzzy Hash: 1913c82d1dc7e8c8c80d881f0d3ecce4ebbbfd097a8e888a9b99fcdb605b894d
Instruction Fuzzy Hash: C5E06D3890D208EFDB14EBA8E9515ACBF74FB45304F1081E9D98457352C771A94BC792

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB5C3 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33efdb8784b88ea358289f785d7f238f88ae0961d718b71c405c8fc2c0374c8
Instruction ID: c1b2efacb6dee9fde1aa174c01fd6c6427d573b798605836c8fe29717295ab27
Opcode Fuzzy Hash: c33efdb8784b88ea358289f785d7f238f88ae0961d718b71c405c8fc2c0374c8
Instruction Fuzzy Hash: 3CF0DAB4D1020ADFDB94EFA9C441AAEBBF5BB08200F104469E915E7340E77486418FE1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF607F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3404e2e84c922a9cdc550fe87cb738fbff5eddbe4a326cb0596b12cdb59afee6
Instruction ID: c69407930ab85f2398cad9bfba7643ce916731f37844421df49bdf6fc45d54a6
Opcode Fuzzy Hash: 3404e2e84c922a9cdc550fe87cb738fbff5eddbe4a326cb0596b12cdb59afee6
Instruction Fuzzy Hash: 5CF05E34D09208EFC750DFA8C5506ACBBF4EB88204F14C1EED85897345C3755902CF42

Uniqueness

Uniqueness Score: -1.00%

Function 06AF955F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49866c0de98455e5b3203881737b9158ec01d7379e1f57e20a7e446a7c03e78c
Instruction ID: 9f2fa4e22ea01090caee53d62bdceaab085f8a801e5ae202a4f12a007b925b17
Opcode Fuzzy Hash: 49866c0de98455e5b3203881737b9158ec01d7379e1f57e20a7e446a7c03e78c
Instruction Fuzzy Hash: 41E0923181A208EFC301DFE4D804A9ABFB9EF16200F1001A7E645D7161DA354A08DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3F70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbaa6b2746cbea86a3a6ac13e974ba80ad03718f2f013eefe995f825e899be2
Instruction ID: 2f3126dd0e95953a5fffb920a3b9e4047790af86fdc306f0b3d4aba353a591d7
Opcode Fuzzy Hash: 9cbaa6b2746cbea86a3a6ac13e974ba80ad03718f2f013eefe995f825e899be2
Instruction Fuzzy Hash: 39F01C74D01209EFCB80EFF8E54869DBBF4EB88200F1084A9C505E7354EA385A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF17D3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bbbd8a0e861f66bd1e9daacfbd1e9eff9a88b68b0b94df75fdfd4b525aaa0a
Instruction ID: 5dcf2107d24f55de0f1ef3f6e9d5795a7c510c55b6a5b9a4fb132e3cd557f382
Opcode Fuzzy Hash: 89bbbd8a0e861f66bd1e9daacfbd1e9eff9a88b68b0b94df75fdfd4b525aaa0a
Instruction Fuzzy Hash: 28E0D87A805208DFE311EFA4D4006997B78EB46300F0044D6D10A97151E6340E459BD2

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB563 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41087676f4526ba307f4d54b5d9affbc5c8df8decc3558c656a94068c7928313
Instruction ID: b99626366fba0f85cb6201f0822987a4f017ba07fcce014a3c94e2e8ec450c65
Opcode Fuzzy Hash: 41087676f4526ba307f4d54b5d9affbc5c8df8decc3558c656a94068c7928313
Instruction Fuzzy Hash: C1F0A5B0A01509AFCB04CF99D84089EFBF2FF88210B05CAA59818AB225D730DA018BC1

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5820 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd20c6c909d4b118fae96bf96b98925d36ed1a34520c44f5346b82524fb5125
Instruction ID: a6057458bfe51c18297d09e1d2200bd44121124228c743e7eeb411cb0d077f67
Opcode Fuzzy Hash: 4dd20c6c909d4b118fae96bf96b98925d36ed1a34520c44f5346b82524fb5125
Instruction Fuzzy Hash: ECE0D831C1A20CEFD711FFB4D9106697FA8EB52200F0440E6DA019B111D5349D0497D3

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3B30 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efad928d388a41d88c3898abc8f06856caff4e334020bf3b00466ca7adfd3a6a
Instruction ID: c7f7a4ade917d1762e1134cdf2bc2e51b6ba79dca5e2a897438f9ad4eae5cf6b
Opcode Fuzzy Hash: efad928d388a41d88c3898abc8f06856caff4e334020bf3b00466ca7adfd3a6a
Instruction Fuzzy Hash: 80F01538904208FFCB00DF98D840AACBBB5FB48300F1080A9E90857311C7329A11DB85

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5748 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction ID: 3d3ba818febd505e435abf1979d7f028b920753a7a5958ffa2c7d626f30a01f3
Opcode Fuzzy Hash: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction Fuzzy Hash: 05E0ED34D05208EFC744EFA8D5506ACBBF4EB48300F14C5A9D90893340D7355A01CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06AF6090 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction ID: 1a6ea4a38e14490d274ecc27d3636d0ec272232288f486ad4ddc537e40831a5d
Opcode Fuzzy Hash: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction Fuzzy Hash: 1FE0E534E05208EFCB84EFA8D540AACBBF4FB88300F20C1AA9918A3341D7759A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB1D3 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e77ecfe58791dc68b3791f53a771028d71bfb69342e151b86835620324ac0c
Instruction ID: 3b3762d7fed9077fe3e5cb643830f1b18b9a41315d1d60000f35fdfc8c08717b
Opcode Fuzzy Hash: 46e77ecfe58791dc68b3791f53a771028d71bfb69342e151b86835620324ac0c
Instruction Fuzzy Hash: 20E0C23182610CEFC740EFF4D900A9FBBF8EF05300F1004A69B01A3120DE715A00CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3DF0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction ID: 165719de06db02d7c252016537c619d5ce764c4add5aa8e074d6fb804b70f4be
Opcode Fuzzy Hash: e85fc7c531cf13d9a5441308dd7839cf8ea9ff8bcd65d610c736c6ed2ff0294e
Instruction Fuzzy Hash: ECE0E574E05208EFCB84EFA8D540AACBBF4FB89300F1081AA9918A3340D7359E12CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06AFED4F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bd1224dc49be75a5ac280c44ca53cd1a4268c37d846bd5dd4a06edc1622c34
Instruction ID: 3bfa20b480cab172f2705989d81b1bbfb9a4ba84d9e3a608f737056e410d45dd
Opcode Fuzzy Hash: d7bd1224dc49be75a5ac280c44ca53cd1a4268c37d846bd5dd4a06edc1622c34
Instruction Fuzzy Hash: E9F0A538D04208FFCB54DFA8D941A9DBBB1FB48300F10C0A9AD18A7350D735AA51DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3BC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1daf647a7a6953b83f7f25d7c37893451c4c44ec55e4dde9dba1868eb4804f
Instruction ID: d1eea732ac9a9ff3e92508480dd287bd0b587df1da516c6afd2e93643eadf348
Opcode Fuzzy Hash: fb1daf647a7a6953b83f7f25d7c37893451c4c44ec55e4dde9dba1868eb4804f
Instruction Fuzzy Hash: A2E0E538909208EBCB05EF98D950DADBB75FB49300F10859AEE0427251C7329A61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF17E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2332ddf660ce4e9dc7eedee5103f2564fdcf2be3bc43f6745df565d01252de86
Instruction ID: b9db3556b27e706480f57e00c6a81359d48d1cea760e794bbd65648e35ee368f
Opcode Fuzzy Hash: 2332ddf660ce4e9dc7eedee5103f2564fdcf2be3bc43f6745df565d01252de86
Instruction Fuzzy Hash: 1AE0C23A80520CEFD700FFF4D404AAA7BB8EB46300F0040A6E60AA3150EB340E40DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB56B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a274af295f57b93bf989383a3a6a49f2883d5bf37982251fd269c3ac076611
Instruction ID: c62f5fb9d800cb2f3844b8b167b3818aa767238f4ba3082600e1be22fe334472
Opcode Fuzzy Hash: 72a274af295f57b93bf989383a3a6a49f2883d5bf37982251fd269c3ac076611
Instruction Fuzzy Hash: 39E01AB0D01209DFDB80EFA8C94479EBFF0BF08704F2184A5D019EB215E77486098F91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3AE8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bdd958f267554f9fee22e078240692fa77da41410328acb73c3b952d4e6371
Instruction ID: a84f21de77c9eb6e77ecd1b3713cbbf0ff290e86c68145d75b5dabb42bcbcd18
Opcode Fuzzy Hash: e2bdd958f267554f9fee22e078240692fa77da41410328acb73c3b952d4e6371
Instruction Fuzzy Hash: CAE0C2B181610CEFCB80FFF4D501AAE7AE8EB05200F0000E5D605A7110DA314E04D796

Uniqueness

Uniqueness Score: -1.00%

Function 06AF5830 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe5787723ee7e9b589d51186374986c5b39464f4cdd572cd14d205caf9872e5
Instruction ID: e9bb3031995a80c44561d19e885eaef5dee2bc50510bbe319e95e0ba80410b2a
Opcode Fuzzy Hash: 3fe5787723ee7e9b589d51186374986c5b39464f4cdd572cd14d205caf9872e5
Instruction Fuzzy Hash: 3DE01271C6610CEFD750FFF4D500AA97AEDEB45200F1045E5DB05A7510DA315A04A796

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840b823bc719881f4fc82aebf6e46f7411a02ca82fcbe413489d45f16e9a39b7
Instruction ID: d3a84bb45b05c0eeb7df8ec19d5be8d0f4d27c2a860a7928b1714e9e495f0ee0
Opcode Fuzzy Hash: 840b823bc719881f4fc82aebf6e46f7411a02ca82fcbe413489d45f16e9a39b7
Instruction Fuzzy Hash: 86E0B6B0D50209EFDB80EFB9C905B5EBBF4BF08304F1185A9D119E7211E7B496058F91

Uniqueness

Uniqueness Score: -1.00%

Function 06AF9570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5b9f51d3580b7a41b4e948bcffc7db7efa684ddc9d2b26f976ce9bc0c4bdb4
Instruction ID: d1092dd825621601cdc41090e295bfe0007c1f29c290f7d22489d683159b5fde
Opcode Fuzzy Hash: 1d5b9f51d3580b7a41b4e948bcffc7db7efa684ddc9d2b26f976ce9bc0c4bdb4
Instruction Fuzzy Hash: AAD0C27180110CEFC700EFF4D404A5E7BB8EB05701F0000A69706D3110DF324A04C792

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB1D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628288fcfdd5ced31b72aa9b26a615d903b4fa94882d7bb4e5de1677fae9ff64
Instruction ID: 266751e754fc6ae8b84a91365f0c68d598c198a7a0b2abd4378f25eacf52c963
Opcode Fuzzy Hash: 628288fcfdd5ced31b72aa9b26a615d903b4fa94882d7bb4e5de1677fae9ff64
Instruction Fuzzy Hash: 28D0127185510CEFC740EFF4D50065E7BE8DB05700F1005A69B0597160DD715A04D6A6

Uniqueness

Uniqueness Score: -1.00%

Function 06AF8D90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06a67f4fcea6460e7d1436939379cd5da6ac2d1cbd7c685ab8bb1a5a0023f91
Instruction ID: d5a3f767a3ee2b74c155160c936f0df8d189832351a07b6a63f1c740ec16f244
Opcode Fuzzy Hash: e06a67f4fcea6460e7d1436939379cd5da6ac2d1cbd7c685ab8bb1a5a0023f91
Instruction Fuzzy Hash: 26D0A92401A3448FE30127B8A80C7213FB8AF42B06F0000A3E78887CA3CA699800CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 06AFB668 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5ca6b1a19490d6491da0b080d5d6fed734212154468e16dd5c222494d816cb
Instruction ID: e00cfb0dbc5b6d1a044c5bf0aa802c85ecbfbad38d6957b2706459b86116dd53
Opcode Fuzzy Hash: 1b5ca6b1a19490d6491da0b080d5d6fed734212154468e16dd5c222494d816cb
Instruction Fuzzy Hash: 38D012322201089E4BC0FBD5ED40D567BEDAB146403458032F604CB530EB22E464E752

Uniqueness

Uniqueness Score: -1.00%

Function 06AF8DA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaed2b18b9bcafbf6bb0deb39cf642334087d5d8f6bb08fa8b3275a5be90612
Instruction ID: 5c84e63421a6c8fe02aa952e6140d9d3662d02df3673fc35451b457d087d0ce0
Opcode Fuzzy Hash: edaed2b18b9bcafbf6bb0deb39cf642334087d5d8f6bb08fa8b3275a5be90612
Instruction Fuzzy Hash: 2CC04C34026604C7D65477A8B50C7757BB8BB45B06F400522A74D528668F799850C6B6

Uniqueness

Uniqueness Score: -1.00%

Function 06AF3658 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.410917818.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6af0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9dfe85636ff1c9fd6f7ade3a2d240197b8dbaac92972f374eabe274cb22c07
Instruction ID: 455242ec2ebe8df420d6e44c4ade5706ed486ed66e22ba78d5098e0a8e425947
Opcode Fuzzy Hash: 5c9dfe85636ff1c9fd6f7ade3a2d240197b8dbaac92972f374eabe274cb22c07
Instruction Fuzzy Hash: 25B0123D17A161FA77C0B3E88B2693B9562FB7A700B514C11B30650180C4349820E197

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4An07Q7I8G.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4An07Q7I8G.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmpA70D.tmp

C:\Users\user\AppData\Local\Temp\tmpA8D3.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Windows Analysis Report
4An07Q7I8G.exe