Loading ...

Play interactive tourEdit tour

Analysis Report Package_details.exe

Overview

General Information

Sample Name:Package_details.exe
Analysis ID:321402
MD5:ce3c5367fb067a45f5fa10c35ca23a28
SHA1:9d0f4d746747a6fd13a48b1a867eb8d103d9daec
SHA256:e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Package_details.exe (PID: 1092 cmdline: 'C:\Users\user\Desktop\Package_details.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • cmd.exe (PID: 4092 cmdline: cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5464 cmdline: schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • Package_details.exe (PID: 4156 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • schtasks.exe (PID: 5592 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Package_details.exe (PID: 5804 cmdline: C:\Users\user\Desktop\Package_details.exe 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • Package_details.exe (PID: 4168 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • Package_details.exe (PID: 2140 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • Package_details.exe (PID: 6304 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • dhcpmon.exe (PID: 4112 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 5712 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • dhcpmon.exe (PID: 4604 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 6236 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 6296 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • dhcpmon.exe (PID: 6532 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x251e5:$x1: NanoCore.ClientPluginHost
  • 0x25222:$x2: IClientNetworkHost
  • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x24f5d:$x1: NanoCore Client.exe
  • 0x251e5:$x2: NanoCore.ClientPluginHost
  • 0x2681e:$s1: PluginCommand
  • 0x26812:$s2: FileCommand
  • 0x276c3:$s3: PipeExists
  • 0x2d47a:$s4: PipeCreated
  • 0x2520f:$s5: IClientLoggingHost
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x24f4d:$a: NanoCore
    • 0x24f5d:$a: NanoCore
    • 0x25191:$a: NanoCore
    • 0x251a5:$a: NanoCore
    • 0x251e5:$a: NanoCore
    • 0x24fac:$b: ClientPlugin
    • 0x251ae:$b: ClientPlugin
    • 0x251ee:$b: ClientPlugin
    • 0x250d3:$c: ProjectData
    • 0x25ada:$d: DESCrypto
    • 0x2d4a6:$e: KeepAlive
    • 0x2b494:$g: LogClientMessage
    • 0x2768f:$i: get_Connected
    • 0x25e10:$j: #=q
    • 0x25e40:$j: #=q
    • 0x25e5c:$j: #=q
    • 0x25e8c:$j: #=q
    • 0x25ea8:$j: #=q
    • 0x25ec4:$j: #=q
    • 0x25ef4:$j: #=q
    • 0x25f10:$j: #=q
    00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 96 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.dhcpmon.exe.5760000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    12.2.dhcpmon.exe.5760000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    12.2.dhcpmon.exe.5760000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.dhcpmon.exe.5760000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      19.2.Package_details.exe.2970000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 103 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Package_details.exe, ProcessId: 4156, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Package_details.exe, ParentImage: C:\Users\user\Desktop\Package_details.exe, ParentProcessId: 4156, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', ProcessId: 5592

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 34%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 25%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Package_details.exeReversingLabs: Detection: 25%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Package_details.exeJoe Sandbox ML: detected
      Source: 0.2.Package_details.exe.3160000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.2.dhcpmon.exe.2420000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 9.2.Package_details.exe.25c0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 21.2.dhcpmon.exe.5470000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 0.2.Package_details.exe.1910000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 14.2.Package_details.exe.2fb0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 10.2.dhcpmon.exe.df0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 14.2.Package_details.exe.2db0000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 19.2.Package_details.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 18.2.dhcpmon.exe.2a40000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.2.dhcpmon.exe.2600000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 12.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.dhcpmon.exe.57b0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.Package_details.exe.d10000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 10.2.dhcpmon.exe.2ae0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 21.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 18.2.dhcpmon.exe.1040000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 19.2.Package_details.exe.2ad0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00404A29 FindFirstFileExW,12_2_00404A29
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00404A29 FindFirstFileExW,19_2_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00404A29 FindFirstFileExW,21_2_00404A29

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 209.159.151.5:24980
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 209.159.151.5 ports 0,2,4,24980,8,9
      Source: global trafficTCP traffic: 192.168.2.3:49706 -> 209.159.151.5:24980
      Source: Joe Sandbox ViewASN Name: IS-AS-1US IS-AS-1US
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: