Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New PO 64739 (UK).exe

Overview

General Information

Sample Name:New PO 64739 (UK).exe
Analysis ID:323002
MD5:b6babb0d3661cd172c93c496dc4c1db1
SHA1:de2db850207d77611f557a060681f2c2a19ae1ef
SHA256:bca89f6ecbf4dfde0cc003b96f907ae1ab9b33a64650836d547d07291a059e86
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New PO 64739 (UK).exe (PID: 1308 cmdline: 'C:\Users\user\Desktop\New PO 64739 (UK).exe' MD5: B6BABB0D3661CD172C93C496DC4C1DB1)
    • schtasks.exe (PID: 5904 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6016 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.207"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x15f1:$a: NanoCore
      • 0x164a:$a: NanoCore
      • 0x1687:$a: NanoCore
      • 0x1700:$a: NanoCore
      • 0x14dab:$a: NanoCore
      • 0x14dc0:$a: NanoCore
      • 0x14df5:$a: NanoCore
      • 0x22a0a:$a: NanoCore
      • 0x22a2f:$a: NanoCore
      • 0x22a88:$a: NanoCore
      • 0x32c25:$a: NanoCore
      • 0x32c4b:$a: NanoCore
      • 0x32ca7:$a: NanoCore
      • 0x3fafc:$a: NanoCore
      • 0x3fb55:$a: NanoCore
      • 0x3fb88:$a: NanoCore
      • 0x3fdb4:$a: NanoCore
      • 0x3fe30:$a: NanoCore
      • 0x40449:$a: NanoCore
      • 0x40592:$a: NanoCore
      • 0x40a66:$a: NanoCore
      00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 23 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.MSBuild.exe.55c0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        4.2.MSBuild.exe.55c0000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        4.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        4.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        4.2.MSBuild.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\New PO 64739 (UK).exe' , ParentImage: C:\Users\user\Desktop\New PO 64739 (UK).exe, ParentProcessId: 1308, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', ProcessId: 5904

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: MSBuild.exe.6016.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.207"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49696 -> 185.140.53.207:2121
          Source: global trafficTCP traffic: 192.168.2.5:49696 -> 185.140.53.207:2121
          Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
          Source: New PO 64739 (UK).exe, 00000000.00000002.264745155.00000000016F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_0329015C NtQueryInformationProcess,0_2_0329015C
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290152 NtQueryInformationProcess,0_2_03290152
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290BB0 NtQueryInformationProcess,0_2_03290BB0
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_032904800_2_03290480
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_032909680_2_03290968
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290ED80_2_03290ED8
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03297D680_2_03297D68
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_0329C7C00_2_0329C7C0
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_032904700_2_03290470
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_032909580_2_03290958
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290EC80_2_03290EC8
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03297D590_2_03297D59
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A1CE780_2_06A1CE78
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A1C5100_2_06A1C510
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A100060_2_06A10006
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A100400_2_06A10040
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A169D30_2_06A169D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BE4714_2_053BE471
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BE4804_2_053BE480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BBBD44_2_053BBBD4
          Source: New PO 64739 (UK).exeBinary or memory string: OriginalFilename vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000000.236804694.0000000000F42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameD0I8.exeP vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274713965.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274836383.00000000070F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274836383.00000000070F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.264745155.00000000016F8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exeBinary or memory string: OriginalFilenameD0I8.exeP vs New PO 64739 (UK).exe
          Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Roaming\TqGgKBQek.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMutant created: \Sessions\1\BaseNamedObjects\rkIHgZ
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{34118051-8385-43c4-bed1-aa9e16db604f}
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Local\Temp\tmpE3F1.tmpJump to behavior
          Source: New PO 64739 (UK).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile read: C:\Users\user\Desktop\New PO 64739 (UK).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New PO 64739 (UK).exe 'C:\Users\user\Desktop\New PO 64739 (UK).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: New PO 64739 (UK).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: New PO 64739 (UK).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_00F45AF4 push ss; iretd 0_2_00F45AFE
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15243 push eax; iretd 0_2_06A15244
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15E5E push es; ret 0_2_06A15E7C
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15F62 push es; retf 0_2_06A15F68
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15F51 push es; retf 0_2_06A15F58
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A14CA2 push ecx; iretd 0_2_06A14CA8
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15C7D push es; iretd 0_2_06A15E00
          Source: initial sampleStatic PE information: section name: .text entropy: 7.26752340009
          Source: initial sampleStatic PE information: section name: .text entropy: 7.26752340009
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Roaming\TqGgKBQek.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265117190.0000000003390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2929Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6616Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 612Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 797Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 1748Thread sleep time: -50584s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 3056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 1688Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4624Thread sleep time: -16602069666338586s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: MSBuild.exe, 00000004.00000002.504816638.000000000134C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C43008Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
          Source: MSBuild.exe, 00000004.00000002.509159099.0000000003583000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: MSBuild.exe, 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Users\user\Desktop\New PO 64739 (UK).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: New PO 64739 (UK).exe, 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection212Masquerading1Input Capture21Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.140.53.207
            		unknownSweden
            		209623DAVID_CRAIGGGtrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:323002
            Start date:26.11.2020
            Start time:07:56:59
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 54s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:New PO 64739 (UK).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/8@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 1.6% (good quality ratio 1.3%)
            • Quality average: 52.8%
            • Quality standard deviation: 32.9%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 43
            • Number of non-executed functions: 5
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 92.122.144.200, 13.88.21.125, 2.20.142.209, 2.20.142.210
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323002/sample/New PO 64739 (UK).exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            07:58:00API Interceptor1x Sleep call for process: New PO 64739 (UK).exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.140.53.207DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
              Doc_AWB#5305323204643_UPS.pdf.exeGet hashmaliciousBrowse
                irs Doc Attached.exeGet hashmaliciousBrowse

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DAVID_CRAIGGG90987948.exeGet hashmaliciousBrowse
                  • 185.244.30.223
                  tzjEwwwbqK.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  PO456789.exeGet hashmaliciousBrowse
                  • 185.244.30.212
                  kelvinx.exeGet hashmaliciousBrowse
                  • 185.140.53.132
                  Order-2311.exeGet hashmaliciousBrowse
                  • 91.193.75.147
                  YZD221120.exeGet hashmaliciousBrowse
                  • 91.193.75.147
                  ORDER #201120A.exeGet hashmaliciousBrowse
                  • 185.244.30.92
                  oUI0jQS8xQ.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                  • 185.140.53.139
                  Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                  • 185.140.53.139
                  Ups file de.exeGet hashmaliciousBrowse
                  • 185.140.53.221
                  NyUnwsFSCa.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  purchase order.exeGet hashmaliciousBrowse
                  • 185.140.53.233
                  Remittance Details.xlsGet hashmaliciousBrowse
                  • 185.140.53.184
                  PaymentConfirmation.exeGet hashmaliciousBrowse
                  • 185.140.53.183
                  ORDER #02676.doc.exeGet hashmaliciousBrowse
                  • 185.244.30.92
                  b11305c6ab207f830062f80eeec728c4.exeGet hashmaliciousBrowse
                  • 185.140.53.233
                  ShippingDoc.jarGet hashmaliciousBrowse
                  • 185.244.30.139
                  1kn1ejwPxi.exeGet hashmaliciousBrowse
                  • 185.140.53.132
                  D6vy84I7rJ.exeGet hashmaliciousBrowse
                  • 185.140.53.149

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO 64739 (UK).exe.log
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1314
                  Entropy (8bit):5.350128552078965
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
                  MD5:8198C64CE0786EABD4C792E7E6FC30E5
                  SHA1:71E1676126F4616B18C751A0A775B2D64944A15A
                  SHA-256:C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
                  SHA-512:EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                  C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1646
                  Entropy (8bit):5.175965126269107
                  Encrypted:false
                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBUtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3Q
                  MD5:40116A05B516A07CF1C194259F56F2D2
                  SHA1:8A86389C92C0A7C9E6CF5467E15CFF7BC9750142
                  SHA-256:F7BCDA8DF5E89517F99B4E4AC8CD5FAF36A9AEEB5B39DDAF753AADFD7FEDAC69
                  SHA-512:4A9ED1686A93C54A5B3BB3193FEAF1EC322760876EB0A210A9D8734B886A7A7AEFD657B750271C5966CDFB98358D01730385ED5653994BE39685CD2BA992B8EA
                  Malicious:true
                  Reputation:low
                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):232
                  Entropy (8bit):7.024371743172393
                  Encrypted:false
                  SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                  MD5:32D0AAE13696FF7F8AF33B2D22451028
                  SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                  SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                  SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                  Malicious:false
                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:fLNt:fLNt
                  MD5:78D38F5EA0447F24368720C617A73787
                  SHA1:40D69D1741E9DFCE88591F7D9E536742746EB82D
                  SHA-256:5BF50106AF31E263A4E0286B8B0B3E2ACCAA5BFFF07418A5756C632FE62748D8
                  SHA-512:17192164B2C28B723F1187071B737B97C780F9CB3424CDFCEB063FEA1F38BD3377F3424F8AA3B9A1F4F0090A95D45084A6F1306DEB1BAEDA453C4D7978690343
                  Malicious:true
                  Preview: W...$..H
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):40
                  Entropy (8bit):5.153055907333276
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                  MD5:4E5E92E2369688041CC82EF9650EDED2
                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                  Malicious:false
                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):327432
                  Entropy (8bit):7.99938831605763
                  Encrypted:true
                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                  Malicious:false
                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                  C:\Users\user\AppData\Roaming\TqGgKBQek.exe
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):936960
                  Entropy (8bit):7.261816231890523
                  Encrypted:false
                  SSDEEP:12288:zpH4EQ1NXT5zPvEzOh3CqA5vLs1R5eyZIHCJL4SI571xTXcsPPQk3LPf0TzAH8Uh:zpH4EQj5LvEKoq+vk2y6iJL4/ZcoPQa
                  MD5:B6BABB0D3661CD172C93C496DC4C1DB1
                  SHA1:DE2DB850207D77611F557A060681F2C2A19AE1EF
                  SHA-256:BCA89F6ECBF4DFDE0CC003B96F907AE1AB9B33A64650836D547D07291A059E86
                  SHA-512:45DCE5171772DB72BF71FC72DAB6FEDA73995E7009F6B0BB74B2F25D6A5E23284C06C167505D56C79C6334A6E14E2B44B3117A4207F4396D4F71F01B1381CE91
                  Malicious:false
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..@..........^_... ...`....@.. ....................................@.................................._..W....`............................................................................... ............... ..H............text...d?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............J..............@..B................@_......H..................1....r...i...........................................0..........(....*...0..X.......r...p. .u.. ..A.a%...^E........a...........................Q.......8....r...p(..... ..Z ..B.a+..(....(....r...p(....,. .i..%+. .1.%&. ]...Za8w...(..... ..}.8g....r...p(....(....,. z-..%+. >1..%&. ".@.Za89....-. ...m%+. <..?%&. ..HZa8.....(.... .Ej.8...........s....(....%.(.....(.... . -.8.....r;..p(....(....-. ..X.%+. ....%&. ...Za8....*.0...............('...*..0..y...
                  C:\Users\user\AppData\Roaming\TqGgKBQek.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview: [ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.261816231890523
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:New PO 64739 (UK).exe
                  File size:936960
                  MD5:b6babb0d3661cd172c93c496dc4c1db1
                  SHA1:de2db850207d77611f557a060681f2c2a19ae1ef
                  SHA256:bca89f6ecbf4dfde0cc003b96f907ae1ab9b33a64650836d547d07291a059e86
                  SHA512:45dce5171772db72bf71fc72dab6feda73995e7009f6b0bb74b2f25d6a5e23284c06c167505d56c79c6334a6e14e2b44b3117a4207f4396d4f71f01b1381ce91
                  SSDEEP:12288:zpH4EQ1NXT5zPvEzOh3CqA5vLs1R5eyZIHCJL4SI571xTXcsPPQk3LPf0TzAH8Uh:zpH4EQj5LvEKoq+vk2y6iJL4/ZcoPQa
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..@..........^_... ...`....@.. ....................................@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4e5f5e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x5FBF0D88 [Thu Nov 26 02:06:00 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add al, byte ptr [eax]
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  and byte ptr [eax], al
                  add byte ptr [eax+00000018h], al
                  push eax
                  add byte ptr [eax], al
                  add byte ptr [eax], 00000000h
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe5f040x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x610.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xe3f640xe4000False0.677923905222data7.26752340009IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xe60000x6100x800False0.33203125data3.44745876984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xe80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xe60a00x380data
                  RT_MANIFEST0xe64200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright Hewlett-Packard 2017
                  Assembly Version1.0.0.0
                  InternalNameD0I8.exe
                  FileVersion1.0.0.0
                  CompanyNameHewlett-Packard
                  LegalTrademarks
                  Comments
                  ProductNameArizona Lottery Numbers
                  ProductVersion1.0.0.0
                  FileDescriptionArizona Lottery Numbers
                  OriginalFilenameD0I8.exe

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/26/20-07:58:09.962435TCP2025019ET TROJAN Possible NanoCore C2 60B496962121192.168.2.5185.140.53.207

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 26, 2020 07:58:09.412566900 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:09.600203037 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:09.601804018 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:09.962435007 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.194097042 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.194221973 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.330408096 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.374310017 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.474917889 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.476288080 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.672211885 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.730436087 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.590236902 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.832217932 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.900038004 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.911977053 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.912074089 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.923166990 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.949445963 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.949527025 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.957570076 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.958695889 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.958776951 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.963496923 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.977087975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.977183104 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.984600067 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.986860991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.986922979 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.133230925 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.140045881 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.140134096 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.142187119 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.150316954 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.150433064 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.158349037 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.180748940 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.180825949 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.184549093 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.188622952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.188694954 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.192312002 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.196543932 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.196631908 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.216207027 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.220406055 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.220484972 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.227711916 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.240216970 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.240300894 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.248502970 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252180099 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252219915 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252269030 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.256283998 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.256361961 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.262342930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.268275023 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.268388987 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.318229914 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.324033022 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.324158907 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.330143929 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.334355116 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.334450960 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.340353012 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.346663952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.346822977 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.350425959 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.354381084 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.354475021 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.380394936 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400417089 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400449991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400563955 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.408484936 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.408616066 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.412388086 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.412720919 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.412800074 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.414218903 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.434391975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.434525013 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.438570023 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.442373991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.442477942 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.442569971 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.448462009 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.448563099 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.450156927 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.456665039 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.456789970 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.478627920 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.478655100 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.478744984 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.486334085 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.486361980 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.486494064 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.488359928 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.510396957 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.510539055 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.514121056 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.516066074 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.516166925 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.522609949 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.541753054 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.541786909 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.541809082 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.541829109 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.541899920 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.541963100 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.544487000 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.544580936 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.562686920 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.562715054 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.562731028 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.562810898 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.567286015 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.567363977 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.586419106 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.590892076 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.591006041 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.595612049 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.595642090 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.595747948 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.609602928 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.618892908 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.619029999 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.623631001 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.628626108 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.628706932 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.637820959 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.641762018 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.641860962 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.655706882 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.655733109 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.655829906 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.668144941 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.668241978 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.668267965 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.668319941 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.668864012 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.668932915 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.688817978 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.694232941 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.694325924 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.696172953 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.700687885 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.700773954 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.706316948 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.713869095 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.713967085 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.718220949 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.726706028 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.726768970 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.733613968 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.754494905 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.754597902 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.760638952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.764364958 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.764452934 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.766566038 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.770167112 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.770258904 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.776331902 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.778151035 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.778253078 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.784632921 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.792093992 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.792193890 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.800081968 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.808121920 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.808223009 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.816407919 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.824521065 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.824620962 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.829916000 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.836061954 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.836153030 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.842407942 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.849961996 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.850066900 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.858135939 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.866096973 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.866204977 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.878267050 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.884903908 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.884994030 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.888191938 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.895385981 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.895499945 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.900358915 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.904577971 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.904654980 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.910479069 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.930352926 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.930484056 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.933602095 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.933620930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.933706045 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.952522039 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.956525087 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.956630945 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.960221052 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.962656975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.962735891 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.968522072 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.974294901 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.974395990 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.980787039 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.002464056 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.002600908 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.005884886 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.005906105 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.005987883 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.012054920 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.018336058 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.018448114 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.023545980 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.028120995 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.028215885 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.034434080 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.040246010 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.040343046 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.045954943 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.068675995 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.068792105 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.072936058 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.076977015 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.077001095 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.077059984 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.098453045 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.098615885 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.101238966 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.104157925 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.104263067 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.109119892 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.112126112 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.112235069 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.120151043 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.126351118 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.126487970 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.132184029 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.142381907 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.142520905 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.146518946 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.164654016 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.164733887 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.164906025 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.166562080 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.166740894 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.174484015 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.180557966 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.180706024 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.188128948 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.196206093 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.196284056 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.202685118 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.210597038 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.210717916 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.217880964 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.224025965 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.224167109 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.230014086 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.236470938 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.236687899 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.240032911 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.246217012 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.246448994 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.252408981 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.256375074 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.256535053 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.264678955 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.268172026 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.268299103 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.274683952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.282658100 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.282738924 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.304750919 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.305214882 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.305310011 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.305355072 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.310360909 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.310483932 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.316822052 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.341617107 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.341711998 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.341731071 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.341793060 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.341814041 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.354521036 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.360780001 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.360922098 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.362416983 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.373822927 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.373904943 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.373939037 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.384354115 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.384497881 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.390321016 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.392527103 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.392667055 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.396574020 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.400556087 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.400675058 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.406150103 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.428606987 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.428775072 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.434391975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.436224937 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.436350107 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.441325903 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.460593939 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.460794926 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.464167118 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.466228008 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.466459036 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.468276024 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.473973036 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.474175930 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.482355118 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.488528967 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.490562916 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.496469021 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.502315998 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.502522945 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.510597944 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.516351938 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.516499996 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.520179987 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.526602030 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.526777029 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.532318115 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.554939985 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.555120945 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.555249929 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.555275917 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.555299997 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.555336952 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.560308933 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.560444117 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.580404997 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.582609892 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.582731009 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.600667000 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.604686975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.604844093 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.606755972 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.606803894 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.606916904 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.614490986 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.620456934 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.620629072 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.626626968 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.632358074 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.632513046 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.636311054 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.642204046 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.642349958 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.650372028 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.668584108 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.668766975 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.675148010 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.676542997 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.676657915 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.678325891 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.684284925 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.684403896 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.692692995 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.698321104 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.698401928 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.708435059 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.715759993 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.715883017 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.744245052 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.752336025 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.752450943 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.768224955 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.776279926 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.776401043 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.783744097 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.790137053 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.790246964 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.800133944 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.806435108 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.806551933 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.816381931 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.822545052 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.822623014 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.830384970 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.838613987 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.838903904 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.846246004 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.868566990 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.868607998 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.868686914 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.874409914 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.874558926 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.878235102 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.886028051 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.886118889 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.892352104 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.898507118 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.898646116 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.908253908 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.913954973 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.914068937 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.920325994 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.926551104 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.926637888 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.930222988 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.936646938 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.936742067 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.959752083 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.962307930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.962369919 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.962620974 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.980546951 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.980647087 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.984410048 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.985976934 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.986052990 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:13.990360975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.994146109 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:13.994224072 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:14.000402927 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:14.008913040 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:14.009016991 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:14.012342930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:14.062184095 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:14.456319094 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:14.680641890 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:14.808420897 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:14.859061003 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.084378004 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:15.125005960 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.161367893 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.296109915 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:15.343466043 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.421561003 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:15.421772957 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.595211029 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:15.598407030 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:15.770431042 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:15.772707939 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:16.018060923 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:16.019514084 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:16.252083063 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:16.651297092 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:16.925985098 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:19.756992102 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:19.797724962 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:19.990693092 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:20.032037973 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:20.720436096 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:21.110078096 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:24.842241049 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:24.891859055 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:25.736149073 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:25.964768887 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:27.832803965 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:27.876521111 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:29.824723959 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:29.876583099 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:30.924290895 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:31.306936026 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:34.829770088 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:34.877063036 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:35.854197979 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:35.908338070 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:36.925060034 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:37.162399054 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:37.424520016 CET4968680192.168.2.593.184.220.29
                  Nov 26, 2020 07:58:37.440972090 CET804968693.184.220.29192.168.2.5
                  Nov 26, 2020 07:58:37.441114902 CET4968680192.168.2.593.184.220.29
                  Nov 26, 2020 07:58:39.849883080 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:39.893296957 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:42.524966955 CET804968993.184.220.29192.168.2.5
                  Nov 26, 2020 07:58:42.526926041 CET4968980192.168.2.593.184.220.29
                  Nov 26, 2020 07:58:42.960727930 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:43.203876972 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:43.955823898 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:44.002865076 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:44.940414906 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:44.987253904 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:45.206003904 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:45.207134008 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:47.925743103 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:48.153951883 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:49.892678022 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:49.940805912 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:51.960251093 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:52.003521919 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:52.972948074 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:53.258063078 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:54.897916079 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:54.941531897 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:58.973325014 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:59.394680023 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:59.612082005 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:59.899934053 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:59.941831112 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:00.080188036 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:00.256922007 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:00.257199049 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:00.259835958 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:00.259999990 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:00.605909109 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:00.606718063 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:01.299828053 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:01.300134897 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:04.223932981 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:04.645170927 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:04.876519918 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:04.906280994 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:04.957762957 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:08.058734894 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:08.114264965 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:08.390075922 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:08.390254974 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:08.722332001 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:08.722521067 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:09.924485922 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:09.973709106 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:10.240012884 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:10.661313057 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:11.046155930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:11.048492908 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:14.919975042 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:14.974078894 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:15.240681887 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:15.661741972 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:16.060221910 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:16.130165100 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:16.177509069 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:16.532385111 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:19.928941965 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:19.974565029 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:20.322882891 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:20.573524952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:24.193785906 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:24.240612984 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:24.939941883 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:24.990602970 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:25.584959984 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:25.857939959 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:29.990346909 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:30.037810087 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:30.585653067 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:30.959904909 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:31.181819916 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:32.227729082 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:32.272489071 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:34.956016064 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:35.007061958 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:36.592624903 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:36.885850906 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:40.012438059 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:40.054771900 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:40.284254074 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:40.335604906 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:42.586570978 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:42.883919001 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:43.964863062 CET804968993.184.220.29192.168.2.5
                  Nov 26, 2020 07:59:43.964981079 CET4968980192.168.2.593.184.220.29
                  Nov 26, 2020 07:59:44.974524021 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:45.023536921 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:47.586714983 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:47.818329096 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:48.317872047 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:48.367532015 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:49.989793062 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:50.039577007 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:53.596254110 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:53.943794012 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:54.993971109 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:55.040185928 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:55.266556025 CET44349688204.79.197.200192.168.2.5
                  Nov 26, 2020 07:59:56.286598921 CET804968993.184.220.29192.168.2.5
                  Nov 26, 2020 07:59:56.288750887 CET4968980192.168.2.593.184.220.29
                  Nov 26, 2020 07:59:56.390194893 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:59:56.430737972 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:59.087692976 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:59:59.457268000 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 08:00:00.012063026 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 08:00:00.055926085 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 08:00:04.088371038 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 08:00:04.304354906 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 08:00:04.480609894 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 08:00:04.525078058 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 08:00:05.014101982 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 08:00:05.056369066 CET496962121192.168.2.5185.140.53.207

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 26, 2020 07:57:57.998034954 CET6493653192.168.2.58.8.8.8
                  Nov 26, 2020 07:57:58.033602953 CET53649368.8.8.8192.168.2.5
                  Nov 26, 2020 07:57:58.863831997 CET5270453192.168.2.58.8.8.8
                  Nov 26, 2020 07:57:58.899288893 CET53527048.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:01.444466114 CET5221253192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:01.471843958 CET53522128.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:07.016284943 CET5430253192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:07.053309917 CET53543028.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:33.139759064 CET5378453192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:33.166909933 CET53537848.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:33.970594883 CET6530753192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:33.998008966 CET53653078.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:38.145914078 CET6434453192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:38.185548067 CET53643448.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:40.843112946 CET6206053192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:40.870227098 CET53620608.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:41.683815002 CET6180553192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:41.711005926 CET53618058.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:42.546552896 CET5479553192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:42.573625088 CET53547958.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:43.389050007 CET4955753192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:43.416213989 CET53495578.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:44.212383032 CET6173353192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:44.239660978 CET53617338.8.8.8192.168.2.5

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: New PO 64739 (UK).exe PID: 1308 Parent PID: 5628

                  General

                  Start time:07:57:53
                  Start date:26/11/2020
                  Path:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\New PO 64739 (UK).exe'
                  Imagebase:0xf40000
                  File size:936960 bytes
                  MD5 hash:B6BABB0D3661CD172C93C496DC4C1DB1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.265117190.0000000003390000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: schtasks.exe PID: 5904 Parent PID: 1308

                  General

                  Start time:07:58:04
                  Start date:26/11/2020
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
                  Imagebase:0x860000
                  File size:185856 bytes
                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 5900 Parent PID: 5904

                  General

                  Start time:07:58:05
                  Start date:26/11/2020
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7ecfc0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: MSBuild.exe PID: 6016 Parent PID: 1308

                  General

                  Start time:07:58:05
                  Start date:26/11/2020
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Imagebase:0xbb0000
                  File size:261728 bytes
                  MD5 hash:D621FD77BD585874F9686D3A76462EF1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth
                  Reputation:moderate

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: New PO 64739 (UK).exe PID: 1308 Parent PID: 5628 New PO 64739 (UK).exeCOMMON

                    Executed Functions

                    Function 03290ED8, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID: Iyx$Iyx
                    • API String ID: 2591292051-3916884457
                    • Opcode ID: ff9c6086e6ae16a4d36af3dfa7579e5e7f0de7dcef70b6ac5c3eae00eb83062b
                    • Instruction ID: 2c4129d862c9d2accfd9b64d84b290e8e40d6a44bcc99194fdf35fb283c26f6d
                    • Opcode Fuzzy Hash: ff9c6086e6ae16a4d36af3dfa7579e5e7f0de7dcef70b6ac5c3eae00eb83062b
                    • Instruction Fuzzy Hash: 5AC14570D24219CFEF28DFA6D84469CBBB2FB49300F10946AD01ABB244DB745985CF24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290EC8, Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: Iyx$Iyx
                    • API String ID: 0-3916884457
                    • Opcode ID: 4fa8573bf19e932614467285fb3b85b25e6ce14bfc2e1b6afa9eaebc582fc7ea
                    • Instruction ID: 06918f79a4a6604a16fa88ed557491cf0666d4a2fab9e7f6879c15e724db972a
                    • Opcode Fuzzy Hash: 4fa8573bf19e932614467285fb3b85b25e6ce14bfc2e1b6afa9eaebc582fc7ea
                    • Instruction Fuzzy Hash: AAB12570D25219CFEF28DFAAD84469DBBF2FB89300F10956AD00AEB254DB745985CF24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290152, Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03290C6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: InformationProcessQuery
                    • String ID:
                    • API String ID: 1778838933-0
                    • Opcode ID: 7ffcb41d76ed277926189017febd22f5a71753eaee5acbe226911fc148faaf32
                    • Instruction ID: 35cf3153b4875dda617a97eaf0746e96f7ec4b2d869a99921b48110a3f0f7175
                    • Opcode Fuzzy Hash: 7ffcb41d76ed277926189017febd22f5a71753eaee5acbe226911fc148faaf32
                    • Instruction Fuzzy Hash: 254195B9D042589FCF10CFAAD984ADEFBB1BB59310F14A02AE814B7210D335A945CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329015C, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03290C6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: InformationProcessQuery
                    • String ID:
                    • API String ID: 1778838933-0
                    • Opcode ID: e9081b78f6351ff6d0db2f79d0886146c3a4e1a82ab0304c7d3178c8812ee30b
                    • Instruction ID: 8456b695e2a6998e654adec86541263ca64b1d058c003b8ae5ecd2921b39f247
                    • Opcode Fuzzy Hash: e9081b78f6351ff6d0db2f79d0886146c3a4e1a82ab0304c7d3178c8812ee30b
                    • Instruction Fuzzy Hash: 9F4185B9D042589FCF10CFAAD984A9EFBB1BB59310F10902AE814B7310D335A945CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290BB0, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03290C6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: InformationProcessQuery
                    • String ID:
                    • API String ID: 1778838933-0
                    • Opcode ID: aaae39656b0392ae31855bff2526e884dcfb984d587ccbaf8c2bbaf5440174df
                    • Instruction ID: 59d80f29f2a943339e062b938926a5b297dac4012c81666a984541d2631929c0
                    • Opcode Fuzzy Hash: aaae39656b0392ae31855bff2526e884dcfb984d587ccbaf8c2bbaf5440174df
                    • Instruction Fuzzy Hash: 8D4166B9D042589FCF10CFA9E980ADEFBB1BB59310F14902AE814B7210D335A946CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1CE78, Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ea0337f120b7d0d4a12149ed3b8c7c24a068dc53371950d53f5febc998a6b4c5
                    • Instruction ID: 4cfc663f6d2364e6ab005de090d199d7a7e096ea22bc0eadd1ced0d7a37aef53
                    • Opcode Fuzzy Hash: ea0337f120b7d0d4a12149ed3b8c7c24a068dc53371950d53f5febc998a6b4c5
                    • Instruction Fuzzy Hash: 60A13674E0421D8FDB54EFE9C484A9EFBF2AF89314F24C129D426AB245D7349981CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290480, Relevance: .2, Instructions: 151COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d14796490daf083a41af0b1fd830bf78d728dfffc38ec53a46cf010b0846e7be
                    • Instruction ID: b272d77b9588662250312c5c5cbb3ce5fe3505ed147091154d775c7e15d234e7
                    • Opcode Fuzzy Hash: d14796490daf083a41af0b1fd830bf78d728dfffc38ec53a46cf010b0846e7be
                    • Instruction Fuzzy Hash: A66113B0D21208DFDF18CFA5E488A9DBBB2FF89300F11D46AD416AB254DB345986CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290470, Relevance: .1, Instructions: 145COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 54282e9a677802f9a48edbbf78ead0b9aa9bd8a858caeb5c54c2054ce079b0ea
                    • Instruction ID: 8e1cd2f3c89a2346f5e61c0541eb97f33e9de555708392241a7aa445389f4317
                    • Opcode Fuzzy Hash: 54282e9a677802f9a48edbbf78ead0b9aa9bd8a858caeb5c54c2054ce079b0ea
                    • Instruction Fuzzy Hash: 506125B0D21208DFDF18CFA5E488A9DBBB2FF89300F11D46AD416AB258D7745A86CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290968, Relevance: .1, Instructions: 136COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de3fd7dda868e7de7b58bd30099b516e8c2919c859e8d5cc19053d1bad7826f8
                    • Instruction ID: 239c4e170a3a8c3badf7d4d21803053de68455847d7232325cf51a3fd3c4a318
                    • Opcode Fuzzy Hash: de3fd7dda868e7de7b58bd30099b516e8c2919c859e8d5cc19053d1bad7826f8
                    • Instruction Fuzzy Hash: B951F371E1470DCBDB24CFA9D99059DFBB6FF89304F20822AD519AB214EB706986CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290958, Relevance: .1, Instructions: 136COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40ed6b0050f8a68a7cd5081be408e060184762ee14e4a3d0a2e4674c7863ce89
                    • Instruction ID: e9c49cda2a62004adfea8970ed8d1e6c3d862cad18802ccba2d1b1e364b48407
                    • Opcode Fuzzy Hash: 40ed6b0050f8a68a7cd5081be408e060184762ee14e4a3d0a2e4674c7863ce89
                    • Instruction Fuzzy Hash: 33510675D14709CBDF14CFA9D98059DFBB6FF89304F24822AD419AB214EB706986CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03297D59, Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d8f78af62328948005d33da76b40ba1276e2d29dde246123b55788eb5a6e794
                    • Instruction ID: 522743ad8a84fbb329105fe77b203fd9de9300d73051cab47729d9b4b3cc07f4
                    • Opcode Fuzzy Hash: 9d8f78af62328948005d33da76b40ba1276e2d29dde246123b55788eb5a6e794
                    • Instruction Fuzzy Hash: 82317230E25208EFDB08CFB5D98456EFBF2EFC9300F24D4A6C005AB258D7748A419B14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03297D68, Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b7d3e93caa7ae295c44085dd3a7a57a038ee7ce78c2e765028239a8eb373da3
                    • Instruction ID: 386a992231fa8ebcba112ac62c9b9d94db3dfae3bbf21c8eaa4db419e04045ab
                    • Opcode Fuzzy Hash: 5b7d3e93caa7ae295c44085dd3a7a57a038ee7ce78c2e765028239a8eb373da3
                    • Instruction Fuzzy Hash: F9314570E25209EFDB08CFB5D98456EFBF2EF89300F24D4A6C005AB258D7749A459B14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03298648, Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 032986B8
                    • GetCurrentThread.KERNEL32 ref: 032986F5
                    • GetCurrentProcess.KERNEL32 ref: 03298732
                    • GetCurrentThreadId.KERNEL32 ref: 0329878B
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 94d8e11201446de93c86b873cafeea702c5791d065bb7a97642e6ac94ad933cc
                    • Instruction ID: 7188a2540bb144ed4689f606c3cba8e31189f5309776e360a370963ac3e3eeed
                    • Opcode Fuzzy Hash: 94d8e11201446de93c86b873cafeea702c5791d065bb7a97642e6ac94ad933cc
                    • Instruction Fuzzy Hash: 705144B4910349CFEB14CFA9C9887DEBBF1BF49314F29845AE419A73A0D7349884CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03298658, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 032986B8
                    • GetCurrentThread.KERNEL32 ref: 032986F5
                    • GetCurrentProcess.KERNEL32 ref: 03298732
                    • GetCurrentThreadId.KERNEL32 ref: 0329878B
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: d9bd7f9ec45448e327f7e2d55980b241aa57b9d2748bc17a615420d778ad29ae
                    • Instruction ID: a00f93b874b74e495932a8a182cbc21c75fce489be8cc8648a4cf8c12107d48b
                    • Opcode Fuzzy Hash: d9bd7f9ec45448e327f7e2d55980b241aa57b9d2748bc17a615420d778ad29ae
                    • Instruction Fuzzy Hash: 255145B49103498FDB14CFA9D9887DEBBF1BF49314F288459E419A7350D7349884CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1EE78, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06A1F13F
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 6d1b24b1403fa7b32d77f74f29c8daf2f42ed8d6d72bf2ad63c48b2ed214b2c6
                    • Instruction ID: d81b109e1dbfe9a43fa04cb1f03f1116687c78546a30464c9d0b897569e629c2
                    • Opcode Fuzzy Hash: 6d1b24b1403fa7b32d77f74f29c8daf2f42ed8d6d72bf2ad63c48b2ed214b2c6
                    • Instruction Fuzzy Hash: 5CC14575D042698FDF60DFA4C840BEEBBB1BF49314F0185A9D919BB240DB749A89CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329D6A0, Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(?), ref: 0329D922
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: c5ddee90290d2ef9d6c672a5e02405653e67904a89e41c8810ba66c04e0c6880
                    • Instruction ID: 50574ded051fb91b9d02f51e21fc7356e7b63e1d02ac01d8eded2c6a3277340e
                    • Opcode Fuzzy Hash: c5ddee90290d2ef9d6c672a5e02405653e67904a89e41c8810ba66c04e0c6880
                    • Instruction Fuzzy Hash: 24915574A10B098FEB24DF69D58479ABBF5FF48204F04892AD44AEBB50D730E885CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329F8CC, Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0329FA99
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: d9fad0f2446eda68bee7617177277334fcc92c218aa10c0fd0cd540d303cb21c
                    • Instruction ID: 4d20698f6e3a68f61b404cf2a86e4e87a1173483d28d03f8f992d4a1a7932d30
                    • Opcode Fuzzy Hash: d9fad0f2446eda68bee7617177277334fcc92c218aa10c0fd0cd540d303cb21c
                    • Instruction Fuzzy Hash: 96718AB4D10218DFDF60CFA9D984BDDBBB1BB09304F1491AAE808B7211D730AA85CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329F8D8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0329FA99
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 992422aa7ffa2e2bbd87aeeed563b8132810f420919c1a7465aaee8048b76b49
                    • Instruction ID: ae79742134973c49617f622104e325cf43cb3cc8bafcc7a66ce48c99e4f04695
                    • Opcode Fuzzy Hash: 992422aa7ffa2e2bbd87aeeed563b8132810f420919c1a7465aaee8048b76b49
                    • Instruction Fuzzy Hash: 7A717AB4D14218DFDF60CFA9D984BDDFBB1BB09304F1491AAE808A7211D770AA85CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1EA60, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 06A1EB33
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 1aca424bdb5c64aeaab22bdf56b8ccb1bbebfdabc73a183fd04d843559680a1c
                    • Instruction ID: f52ea6ef07cff086560fbe3e0be48cfade54f226dc8f1af4851b115d2f0ed475
                    • Opcode Fuzzy Hash: 1aca424bdb5c64aeaab22bdf56b8ccb1bbebfdabc73a183fd04d843559680a1c
                    • Instruction Fuzzy Hash: 11419AB5D052589FCF00DFA9D984AEEFBF1BB49314F14942AE815BB200D734AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03298878, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0329894B
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 43f4dac1df7a5594e615d0ee27303f02b902d28a5e233cbff0fb0aace68193d6
                    • Instruction ID: 7d0fee712f5082f3e4307b678201e93b5d475728446d112cbb8c93dd907a2b09
                    • Opcode Fuzzy Hash: 43f4dac1df7a5594e615d0ee27303f02b902d28a5e233cbff0fb0aace68193d6
                    • Instruction Fuzzy Hash: 8E4176B9D002589FDF00CFA9D984ADEBBF5BB19310F14902AE918BB310D335A995CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03298880, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0329894B
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: cf3767142da3176bd48118af9bef5a41c473216f004046768556849f311d43bc
                    • Instruction ID: 9b52676477e729c8cf5b1a2b1eb57fb8f8b38f4c98dde96bfc561c68e42d0c60
                    • Opcode Fuzzy Hash: cf3767142da3176bd48118af9bef5a41c473216f004046768556849f311d43bc
                    • Instruction Fuzzy Hash: 014166B9D002589FDF00CFA9D984ADEBBF5BB19314F14902AE918BB310D335A995CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1EBE8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06A1EC9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: eefb6225600d9b60fe443e07c7ab8943a7f8e48a8fe7b9a7398153c2e25329ac
                    • Instruction ID: f224c88550b399401a8c8e9b4fe34663459efe32959551428fe45887b0c43d2b
                    • Opcode Fuzzy Hash: eefb6225600d9b60fe443e07c7ab8943a7f8e48a8fe7b9a7398153c2e25329ac
                    • Instruction Fuzzy Hash: 1F41BBB5D04258DFCF10DFAAD984AEEFBB1BB49314F14942AE814BB200D734A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1E910, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06A1E9BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3ca7eee13002d9d54420698048e0e4b41adc6a316f4a70e77c197ea5455be79f
                    • Instruction ID: 34cb946d81681be19859b013f5458279e50609e050883c8f91841e453ef3428c
                    • Opcode Fuzzy Hash: 3ca7eee13002d9d54420698048e0e4b41adc6a316f4a70e77c197ea5455be79f
                    • Instruction Fuzzy Hash: 7D31A8B9D042589FCF10CFA9D984ADEFBB1BB49310F14942AE814BB300D735A946CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329CA00, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0329DC4A
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 5ef6ea31781d3d7f1f63c86eeccefefae16a3f4e2d68fc99e76b06404e2b8b40
                    • Instruction ID: 0f85f2c01810f4239993255c022c54a7580c65772133f3b9c0377d7400b8e1b5
                    • Opcode Fuzzy Hash: 5ef6ea31781d3d7f1f63c86eeccefefae16a3f4e2d68fc99e76b06404e2b8b40
                    • Instruction Fuzzy Hash: 2C4197B4D102589FCF10CFA9D484A9EFBF1BB49310F14902AE818B7210D374A985CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1E728, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNEL32(?,?), ref: 06A1E7D7
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: d5e26f32ab7f07c6b2cd707190f739070de59d2598a927919f088a3810ef99cc
                    • Instruction ID: f3f601dd4c5fe035166ba51c20aad2711eb47b2e2074b24467e23033515a805d
                    • Opcode Fuzzy Hash: d5e26f32ab7f07c6b2cd707190f739070de59d2598a927919f088a3810ef99cc
                    • Instruction Fuzzy Hash: 7B31BEB5D002589FDB10DFA9D884AEEFBF1BF49314F14842AE814BB240D738A985CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329DB9A, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0329DC4A
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 1b808baab2aa3637f940505d3e66bddff3206adf4529470ad2617f8b2e9964a8
                    • Instruction ID: 13b536588cc2230a18a080be641a9f356306a8b2346bcabcd6b22bba320c08a0
                    • Opcode Fuzzy Hash: 1b808baab2aa3637f940505d3e66bddff3206adf4529470ad2617f8b2e9964a8
                    • Instruction Fuzzy Hash: 0D4177B8D00259DFCF10CFA9D484A9EFBF1BB59314F14902AE814B7210D774A985CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290168, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                    • OutputDebugStringW.KERNEL32(?), ref: 0329179A
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: DebugOutputString
                    • String ID:
                    • API String ID: 1166629820-0
                    • Opcode ID: 8669459683daedfc773af15081aa7bb4a8ffb4b7c5f14075ea83cf32fa44fa36
                    • Instruction ID: 1a9be7003db901fd6aa596b33164230f31f9415bf1fccebbcaa895a6b4d503bb
                    • Opcode Fuzzy Hash: 8669459683daedfc773af15081aa7bb4a8ffb4b7c5f14075ea83cf32fa44fa36
                    • Instruction Fuzzy Hash: F331DBB4D142199FDB10CFAAD984ADEFBF1AF49314F14806AE814B7210D730A985CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03290174, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    • OutputDebugStringW.KERNEL32(?), ref: 0329179A
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: DebugOutputString
                    • String ID:
                    • API String ID: 1166629820-0
                    • Opcode ID: 4b3af07403886e058b6c35178dfe226f4a95de0e94a02d7a6c1689603962cd36
                    • Instruction ID: d7958a54e86786842b587c5e198893e80aacfef3f93650e0329d47372240bea9
                    • Opcode Fuzzy Hash: 4b3af07403886e058b6c35178dfe226f4a95de0e94a02d7a6c1689603962cd36
                    • Instruction Fuzzy Hash: D831B9B8D102099FCB10CFAAD984ADEFBF1BB48314F14802AE814B7210D734A985CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032916F8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    • OutputDebugStringW.KERNEL32(?), ref: 0329179A
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: DebugOutputString
                    • String ID:
                    • API String ID: 1166629820-0
                    • Opcode ID: a6b77d258c064518b4d70856bf6fb0edd0d336af8e2301542525ccf4b5a421fa
                    • Instruction ID: 85ecb0e1d6da095db28ebbda30a837876ec3db03ab6eb7137ec792b079ffb538
                    • Opcode Fuzzy Hash: a6b77d258c064518b4d70856bf6fb0edd0d336af8e2301542525ccf4b5a421fa
                    • Instruction Fuzzy Hash: DC31AAB8D0021A9FCB14CFAAD984ADEFBF5BB49314F14902AE814B7210D734A985CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329D890, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(?), ref: 0329D922
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 80ca9cd8010634afaa4541b53719315d263ea766f9bbbb4089aff01e26a58db6
                    • Instruction ID: 9aade0342cbe7b05b5eddb992e044298fb486081cb6094559308c612488c1d74
                    • Opcode Fuzzy Hash: 80ca9cd8010634afaa4541b53719315d263ea766f9bbbb4089aff01e26a58db6
                    • Instruction Fuzzy Hash: C33199B4D002599FDF14CFAAD484ADEFBF5AB49314F14906AE818B7310D334A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A1E608, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: ce8ae5911f4a2827d674445b6fbf2d1016816ccc343988fa2f847b0dd9fd7299
                    • Instruction ID: c1bfb557f3f140147c82533af7097e8fbbb058c8650b6132213b142ccf75d3a4
                    • Opcode Fuzzy Hash: ce8ae5911f4a2827d674445b6fbf2d1016816ccc343988fa2f847b0dd9fd7299
                    • Instruction Fuzzy Hash: 9B31CAB4D042189FCF10DFAAD884AEEFBB5BB49314F14942AE814B7300CB34A845CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329018C, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNEL32(?), ref: 03291876
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 9a9e959028308c30bea0eb08efb0d54a0c41c6d79a84c2e4d93d3a939d215efa
                    • Instruction ID: c2d0ba7f0f7b7ee7382db87ae02d5865e0a493fec8479d4b1a10c569b2bb3223
                    • Opcode Fuzzy Hash: 9a9e959028308c30bea0eb08efb0d54a0c41c6d79a84c2e4d93d3a939d215efa
                    • Instruction Fuzzy Hash: B7319CB4D142199FDB10CFAAD584AEEFBF4BB49314F14906AE815B7300D374A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032917F0, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNEL32(?), ref: 03291876
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: c369d3879e5ced5a14ca5cf6304d8c705ac17d7fc9b618cbd8578579fe3780ae
                    • Instruction ID: b2dbd594ff582f7efd6d7cde0a12c7820dde43df4cb9d7e88135739b5ca7d2c6
                    • Opcode Fuzzy Hash: c369d3879e5ced5a14ca5cf6304d8c705ac17d7fc9b618cbd8578579fe3780ae
                    • Instruction Fuzzy Hash: 3031ACB4D142199FDB10CFAAE484AEEFBF4BB49324F14906AE814B7310D334A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 06A1C510, Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 883448b6ddc83e5d5c6d67079a2ff4c06bbd7f3b9d66f369319cb072e3c78c7e
                    • Instruction ID: 0a6eb9babcdb3a035e3e09cd2963de2e667cdca78bd2e1938a8014ac3404034d
                    • Opcode Fuzzy Hash: 883448b6ddc83e5d5c6d67079a2ff4c06bbd7f3b9d66f369319cb072e3c78c7e
                    • Instruction Fuzzy Hash: EF12DE74E402188FDB54DFA9C984AEDBBF2FF88314F148169D90AAB251D7389D81CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A10040, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: }
                    • API String ID: 0-4239843852
                    • Opcode ID: cec2e6b7910daf893d09246c83123a85ad1a90815bd20fd54018420d3d0b4050
                    • Instruction ID: 9393a2121aa3257a5e23a165ba26b1713acbed905693324e46eff2a0c63b95cd
                    • Opcode Fuzzy Hash: cec2e6b7910daf893d09246c83123a85ad1a90815bd20fd54018420d3d0b4050
                    • Instruction Fuzzy Hash: B3413FB1E056588BEB5CCF6B8D4078AFAF3AFC9200F04C1FA854DAA215DB7009818E15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0329C7C0, Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.264948621.0000000003290000.00000040.00000001.sdmp, Offset: 03290000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 205685caa6814e5da0e91da89f8f7083f481d60ca65dcc3b5236ce56fd98334d
                    • Instruction ID: b73b2cc99f5ad86b451b97075250201d26a3d729b7e6cfea7ce54f2d0abf6294
                    • Opcode Fuzzy Hash: 205685caa6814e5da0e91da89f8f7083f481d60ca65dcc3b5236ce56fd98334d
                    • Instruction Fuzzy Hash: 84A16036E2031A8FDF05DFB5D8445DDBBB6FF89300B15856AE805BB221EB71A945CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A169D3, Relevance: .2, Instructions: 192COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56b8c56032f6e521635ab3fe8515948ec88f32dd2564bfeb913bd266213ca414
                    • Instruction ID: c784f40127302ab86c98d2b70df13f4f9b4736ff9cfdfd60a16469182a56846b
                    • Opcode Fuzzy Hash: 56b8c56032f6e521635ab3fe8515948ec88f32dd2564bfeb913bd266213ca414
                    • Instruction Fuzzy Hash: D0A15D70E256298BEB65DF69C980B89BBF5BF48304F50A1D9D04CF6205EB309F958F41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06A10006, Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.274642811.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fdb8aeb99fe3fb3820e5e9cb7bd17e0f4a25bc6be9c660268c9408bb77e28f1c
                    • Instruction ID: 6192883e3614bb13f1b0a1c39d1bd5f47c5fb088c1943a3a6298e9f9878d86d0
                    • Opcode Fuzzy Hash: fdb8aeb99fe3fb3820e5e9cb7bd17e0f4a25bc6be9c660268c9408bb77e28f1c
                    • Instruction Fuzzy Hash: C74180B1E056548FE71DCF6B8D4069AFAF3AFC5200F08C1FA854CAA255DB340946CF15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: MSBuild.exe PID: 6016 Parent PID: 1308 MSBuild.exeCOMMON

                    Executed Functions

                    Function 053B93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 053B962E
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 8d709ba3dbb9b02d61b6a19b931f30814bd3c80dedf1e3843922d8dc98375b4a
                    • Instruction ID: 18f64cd5e5aee7cb1a805c7549bace9c04ca74b26db7caa3b3af22e5f3b33783
                    • Opcode Fuzzy Hash: 8d709ba3dbb9b02d61b6a19b931f30814bd3c80dedf1e3843922d8dc98375b4a
                    • Instruction Fuzzy Hash: B4714771A04B058FE764DF2AC0857AABBF6FF88214F00892DD64AD7B40D7B4E855CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BFB81, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053BFD0A
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: d46c3ac84ff2fe3c922da3e79c98c80f55cb9d3820cdeea5802f4f4791f51514
                    • Instruction ID: 423807fb9f934380320fca3e6944d08bf489a1cc8b8a4a0f5ca559e73aaeb419
                    • Opcode Fuzzy Hash: d46c3ac84ff2fe3c922da3e79c98c80f55cb9d3820cdeea5802f4f4791f51514
                    • Instruction Fuzzy Hash: AD51E2B1D00309DFDB14CFA9C884ADEBBB5FF88314F24852AE909AB214D774A945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053BFD0A
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 323f701f5efa3239b01176acc46b269ae94a8036c3f88b2496e46d77d7ce22b1
                    • Instruction ID: 61fadc916b62284c672ba289afe2cccfdb3d535288c62c702b34581ed07136b4
                    • Opcode Fuzzy Hash: 323f701f5efa3239b01176acc46b269ae94a8036c3f88b2496e46d77d7ce22b1
                    • Instruction Fuzzy Hash: E251D1B1D10309EFDB14CF99C884ADEBBB5FF88314F24812AE919AB614D7B49845CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,053BBCC6,?,?,?,?,?), ref: 053BBD87
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 90e1386d60e75d650c50ca1ed9d9c33c3096ddb9a0d2ed43dccb014700a55c02
                    • Instruction ID: 26008f74797ee6644abb012bed4b6ae47d44bb41295bcd14faebb591734d181f
                    • Opcode Fuzzy Hash: 90e1386d60e75d650c50ca1ed9d9c33c3096ddb9a0d2ed43dccb014700a55c02
                    • Instruction Fuzzy Hash: CB21E5B5900248AFDB10CF9AD884BDEFBF5EB48314F14841AE914A7310D778A954CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BBCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,053BBCC6,?,?,?,?,?), ref: 053BBD87
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: cac5dd5689d63dda4e054fbd0755a824f35d4ac7ae09e61511fff2303874f89f
                    • Instruction ID: 2f3fe5f37cd3ff9498f9c088c4b47e2b6af665374d122f1fbcc1ff84f5961efc
                    • Opcode Fuzzy Hash: cac5dd5689d63dda4e054fbd0755a824f35d4ac7ae09e61511fff2303874f89f
                    • Instruction Fuzzy Hash: 4F21E3B5900259AFDB10CFAAD884BDEFFF4EB48324F14841AE954A3310D778A954CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053B8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,053B96A9,00000800,00000000,00000000), ref: 053B98BA
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 1d1a042cd6579b90ffa3472857a420f70e768b40120b6f16f68bb00f58721b10
                    • Instruction ID: 56e1f73082f528126df9ca21befcdc481ed6a3b9d8efb7afa7f14d46b625410a
                    • Opcode Fuzzy Hash: 1d1a042cd6579b90ffa3472857a420f70e768b40120b6f16f68bb00f58721b10
                    • Instruction Fuzzy Hash: EA1103B6D042499FDB10CF9AD444BDEFBF4EB88314F05842EDA19A7600C3B5A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053B9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,053B96A9,00000800,00000000,00000000), ref: 053B98BA
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 226ddaa3364c8dae920c47665e2d84516035c7dce31ca02c99eb3a320e29a0bc
                    • Instruction ID: 680b94bb273670a73b3f09deabc5c031bc72bd826545d4b20e04bc78b3939509
                    • Opcode Fuzzy Hash: 226ddaa3364c8dae920c47665e2d84516035c7dce31ca02c99eb3a320e29a0bc
                    • Instruction Fuzzy Hash: 9D1112B6D002099FDB10CFAAC484BDEFBF4EB88324F15852AD919A7700C3B5A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053B95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 053B962E
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: ec6a23be5064957efca3566636d591b72271001f06d28e940bf9bb51a7c9f029
                    • Instruction ID: b13b2339c2be52345dc32ef042fa48c6b4e32aabeecd06f3075835bee66f317c
                    • Opcode Fuzzy Hash: ec6a23be5064957efca3566636d591b72271001f06d28e940bf9bb51a7c9f029
                    • Instruction Fuzzy Hash: 5D11E0B6D002498FDB10CF9AC444BDEFBF4EB89324F15842AD919A7600D3B8A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BFE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,053BFE28,?,?,?,?), ref: 053BFE9D
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 7fdae0e77b1b69ed64c4f025172ae7a2cc41e46cc6f0067bec895b2a16d7590a
                    • Instruction ID: e9ff2d7e982fc1b43f75b2ac47fbb686756908586015a3752e1cee758074c0f4
                    • Opcode Fuzzy Hash: 7fdae0e77b1b69ed64c4f025172ae7a2cc41e46cc6f0067bec895b2a16d7590a
                    • Instruction Fuzzy Hash: 381103B5C00249DFDB10CF9AD885BDEBBF8EB48324F14841AD959A7701D375A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053BDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,053BFE28,?,?,?,?), ref: 053BFE9D
                    Memory Dump Source
                    • Source File: 00000004.00000002.512284571.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: a313f773dabe43b18a7a99d39152e71c787a0004932d649dc5e2474eda006297
                    • Instruction ID: d9361164fbb1b0285e41c35b3bab1bc1f03ceeb9962aaad2d3ea62eea0662869
                    • Opcode Fuzzy Hash: a313f773dabe43b18a7a99d39152e71c787a0004932d649dc5e2474eda006297
                    • Instruction Fuzzy Hash: 181106B58002499FDB10DF9AD485BEEFBF8EB88324F148419E915A7701D3B5A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions