i’ve seen a fair amount of malware that brings along its own DNS configuration. wonder what kind of signal this is? in the meantime, lets identify this behavior with capa:

https://github.com/fireeye/capa-rules/pull/156/files